Attackers Exploiting Palo Alto Expedition Bug

CISA is warning that attackers are exploiting a very simple but critical bug in Palo Alto Networks’ Expedition migration and configuration tool. The flaw was disclosed in July but public exploitation only emerged this week. 

CVE: CVE-2024-5910

Why It Matters: PAN’s Expedition is an enterprise tool for migrating data and configurations from third-party vendors into PAN devices and as such it can hold quite a bit of valuable data, including secrets and other confidential information. The tool has had a number of vulnerabilities in the last few months, including a series of flaws that researchers from Horizon3 disclosed in October that could give an attacker full access to Expedition. The CVE-2024-5910 bug is about as simple as they come, a lack of authentication.

“Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue,” the description says. 

Key Details: 

• CVE-2024-5910 is a critical vulnerability that affects versions 1.2.91 and earlier of expedition

• An attacker who exploits the flaw–which, again, requires no authentication–can gain access to a potentially rich trove of sensitive information

• CISA has added the bug to its Known Exploited Vulnerabilities catalog, which means it has direct evidence of exploitation

The vulnerability has been public for four months so attackers have had plenty of time to get their arms around it, so it’s a little surprising that it has taken this long for public exploitation to emerge. PAN lists the flaw as having the highest possible urgency to patch, so any enterprise that has a vulnerable version of Expedition deployed should prioritize fixing that situation as soon as possible.