The Cybersecurity and Infrastructure Security Agency (CISA) has officially added two high-severity vulnerabilities affecting Palo Alto Networks Expedition to its Known Exploited Vulnerability (KEV) Catalog.
The two Palo Alto Networks vulnerabilities, which are actively being targeted by cybercriminals, are identified as CVE-2024-9463 and CVE-2024-9465; both have critical severity ratings and are known to be actively exploited in real-world attacks. Organizations using affected versions of Palo Alto Networks Expedition are urged to take immediate action to mitigate the risks.
The vulnerabilities in question—CVE-2024-9463 (OS Command Injection) and CVE-2024-9465 (SQL Injection)—impact Palo Alto Networks’ Expedition software, a tool for migrating and optimizing PAN-OS configurations. Both flaws have been assigned CVSSv4 scores of 9.9 and 9.2, respectively, signifying their high criticality.
These vulnerabilities could allow attackers to gain unauthorized access to sensitive data or execute arbitrary commands on affected systems, posing online risks to organizations’ security.
The first vulnerability, CVE-2024-9463, is a critical OS command injection flaw that affects Palo Alto Networks Expedition. Assigned a CVSSv4 score of 9.9, this vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on the affected system.
If successfully exploited, this can compromise the integrity of the system, giving attackers the ability to disclose sensitive information. This includes usernames, cleartext passwords, device configurations, and API keys associated with PAN-OS firewalls, which are critical for securing network traffic.
Attackers exploiting this flaw can gain root access to these systems, making this vulnerability a prime target for those seeking to compromise firewall configurations and sensitive network data.
Another critical flaw, CVE-2024-9465, is a SQL injection vulnerability found in Expedition. This flaw, with a CVSSv4 score of 9.2, allows attackers to interact with and manipulate the system’s database, exposing sensitive information such as password hashes, usernames, and device configurations. Exploiting this vulnerability could give attackers the ability to create and read arbitrary files on the system, which increases the risk of a full system compromise.
Similar to CVE-2024-9463, the vulnerable version for CVE-2024-9465 is Expedition < 1.2.96. Additionally, proof-of-concept (PoC) exploits for this vulnerability have already been released to the public, escalating the risk of widespread attacks. As the PoC code is now accessible, it allows potential attackers to easily replicate the exploit and target vulnerable systems more efficiently.
Both CVE-2024-9463 and CVE-2024-9465 are critical vulnerabilities in the Expedition software suite. Organizations that are running versions of Expedition older than 1.2.96 are strongly advised to immediately update to the latest patched version. Given the severity and the ongoing active exploitation of these vulnerabilities, patching is crucial to protect sensitive information and maintain system security.
Cyble researchers have observed active exploitation of these flaws, with CVE-2024-9463 being particularly concerning due to its ability to grant attackers root-level access. This could result in a wide range of malicious activities, including data breaches, ransomware deployment, and unauthorized system modifications. Organizations should be particularly vigilant in monitoring their systems for signs of exploitation.
Palo Alto Networks has already released patches to address both vulnerabilities and organizations are urged to upgrade to Expedition version 1.2.96 or later. However, simply applying the patch may not be enough. The following mitigation strategies are recommended:
The inclusion of CVE-2024-9463 and CVE-2024-9465 in CISA’s Known Exploited Vulnerabilities catalog highlights the urgent need for organizations to address these critical vulnerabilities in the Palo Alto Networks Expedition.
With active exploitation ongoing, it is important for organizations using vulnerable versions to prioritize patching and apply recommended security measures. Delaying action could lead to severe data breaches and system compromises.