cbcvebase.
CVE-2024-5910
published 2024-07-10

CVE-2024-5910: Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-11-28
Exploited in the wild
EPSS
91.78%
99.8th percentile
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
palo_alto_networksexpedition>= 1.2 < 1.2.921.2.92
paloaltoexpedition
paloaltonetworksexpedition>= 1.2.0 < 1.2.921.2.92

Detection & IOCsextracted from sources · hover to see the quote

path/OS/startup/restore/restoreAdmin.php
otherhttp.favicon.hash:1499876150
  • HTTP GET request to /OS/startup/restore/restoreAdmin.php returns HTTP 200 with body containing both 'Admin user found' and 'Admin password restored' — confirms successful unauthenticated admin credential reset (CVE-2024-5910 exploitation).
  • CVE-2024-5910 is chained with CVE-2024-9464 (command injection) by Horizon3.ai PoC to achieve unauthenticated arbitrary command execution on Internet-exposed Expedition servers.
  • Identify Internet-exposed Palo Alto Expedition instances using Shodan favicon hash 1499876150 to enumerate attack surface.
  • ·The Nuclei template targets a single unauthenticated GET endpoint; max-request is 1, meaning detection is a single-shot check with no authentication required.
  • ·CVE-2024-9464 chaining extends impact beyond admin takeover to full unauthenticated RCE; defenders should treat CVE-2024-5910 exploitation as a potential precursor to command injection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Red
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.