CVE-2024-5910
published 2024-07-10CVE-2024-5910: Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-11-28
Exploited in the wild
EPSS
91.78%
99.8th percentile
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.
Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | expedition | >= 1.2 < 1.2.92 | 1.2.92 |
| paloalto | expedition | — | — |
| paloaltonetworks | expedition | >= 1.2.0 < 1.2.92 | 1.2.92 |
Detection & IOCsextracted from sources · hover to see the quote
path/OS/startup/restore/restoreAdmin.php
otherhttp.favicon.hash:1499876150
- →HTTP GET request to /OS/startup/restore/restoreAdmin.php returns HTTP 200 with body containing both 'Admin user found' and 'Admin password restored' — confirms successful unauthenticated admin credential reset (CVE-2024-5910 exploitation).
- →CVE-2024-5910 is chained with CVE-2024-9464 (command injection) by Horizon3.ai PoC to achieve unauthenticated arbitrary command execution on Internet-exposed Expedition servers. ↗
- →Identify Internet-exposed Palo Alto Expedition instances using Shodan favicon hash 1499876150 to enumerate attack surface.
- ·The Nuclei template targets a single unauthenticated GET endpoint; max-request is 1, meaning detection is a single-shot check with no authentication required.
- ·CVE-2024-9464 chaining extends impact beyond admin takeover to full unauthenticated RCE; defenders should treat CVE-2024-5910 exploitation as a potential precursor to command injection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Red
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-px3f-fc5j-2fqv: Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with ne
ghsa_unreviewed·2024-07-10
CVE-2024-5910 [CRITICAL] CWE-306 GHSA-px3f-fc5j-2fqv: Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with ne
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.
Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.
VulnCheck
Palo Alto Networks Expedition Missing Authentication Vulnerability
vulncheck·2024·CVSS 9.3
CVE-2024-5910 [CRITICAL] CWE-306 Palo Alto Networks Expedition Missing Authentication Vulnerability
Palo Alto Networks Expedition Missing Authentication Vulnerability
Palo Alto Networks Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data.
Affected: Palo Alto Networks Expedition
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortiguard.com/outbreak-alert/palo-alto-expedition-vulnerability; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-12-16&host_type=src&vulnerability=cve-2024-5910; https:/
CISA
Palo Alto Networks Expedition Missing Authentication Vulnerability
cisa·2024-11-07·CVSS 9.3
CVE-2024-5910 [CRITICAL] CWE-306 Palo Alto Networks Expedition Missing Authentication Vulnerability
Vulnerability: Palo Alto Networks Expedition Missing Authentication Vulnerability
Affected: Palo Alto Networks Expedition
Palo Alto Networks Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://security.paloaltonetworks.com/CVE-2024-5910 ; https://nvd.nist.gov/vuln/detail/CVE-2024-5910
Remediation Due Date: 2024-11-28
Palo Alto
Expedition: Missing Authentication Leads to Admin Account Takeover
vendor_paloalto·2024-07-10·CVSS 9.3
CVE-2024-5910 [CRITICAL] CWE-306 Expedition: Missing Authentication Leads to Admin Account Takeover
Expedition: Missing Authentication Leads to Admin Account Takeover
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.
Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.
Affected products: Expedition
Solution: This issue is fixed in Expedition 1.2.92 and all later versions.
Workaround: Ensure network access to Expedition is restricted to authorized users, hosts, or networks.
Suricata
ET WEB_SPECIFIC_APPS Palo Alto Expedition Unauthenticated Admin Password Reset (CVE-2024-5910)
suricata·2024-10-10·CVSS 9.3
CVE-2024-5910 [CRITICAL] ET WEB_SPECIFIC_APPS Palo Alto Expedition Unauthenticated Admin Password Reset (CVE-2024-5910)
ET WEB_SPECIFIC_APPS Palo Alto Expedition Unauthenticated Admin Password Reset (CVE-2024-5910)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto Expedition Unauthenticated Admin Password Reset (CVE-2024-5910)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/OS/startup/restore/restoreAdmin.php"; fast_pattern; reference:url,www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/; reference:cve,2024-5910; classtype:web-application-activity; sid:2056640; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_10, cve CVE_2024_5910, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploi
Exploit-DB
Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover
exploitdb·2025-04-06·CVSS 9.3
CVE-2024-5910 [CRITICAL] Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover
Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover
---
# Exploit Title: Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover
# Shodan Dork: html:"expedition project" #
# FOFA Dork: "expedition project" && icon_hash="1499876150" #
# Exploit Author: ByteHunter #
# Email: [email protected] #
# Vulnerable Versions: 1.2 admin:paloalto creds")
else:
print(f"Request failed with status code: {response.status_code}\n")
except requests.exceptions.RequestException as e:
print(f"Error sending request to {url}") #{e}
def main():
parser = argparse.ArgumentParser(description='Palo Alto Expedition - Admin Account Password Reset PoC')
parser.add_argument('-u', '--url', type=str, help='single target URL')
parser.add_argument('-l', '--list', type=str, help='URL target list')
Nuclei
Palo Alto Expedition - Admin Account Takeover
nuclei·CVSS 9.3
CVE-2024-5910 [CRITICAL] Palo Alto Expedition - Admin Account Takeover
Palo Alto Expedition - Admin Account Takeover
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.
Template:
id: CVE-2024-5910
info:
name: Palo Alto Expedition - Admin Account Takeover
author: johnk3r
severity: critical
description: |
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition.
impact: |
Attackers with network access can exploit missing authentication to takeover Expedition admin accounts without credentials.
remediation: |
Update Palo Alto Networks Expedition to the latest version that patches CVE-2024-5910 as specified in the Pal
Metasploit
Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)
metasploit·CVSS 9.3
CVE-2024-5910 [CRITICAL] Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)
Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)
Obtain remote code execution in Palo Alto Expedition version 1.2.91 and below. The first vulnerability, CVE-2024-5910, allows to reset the password of the admin user, and the second vulnerability, CVE-2024-9464, is an authenticated OS command injection. In a default installation, commands will get executed in the context of www-data. When credentials are provided, this module will only exploit the second vulnerability. If no credentials are provided, the module will first try to reset the admin password and then perform the OS command injection.
Bleepingcomputer
Over 2,000 Palo Alto firewalls hacked using recently patched bugs
blogs_bleepingcomputer·2024-11-21·CVSS 9.3
CVE-2024-0012 [CRITICAL] Over 2,000 Palo Alto firewalls hacked using recently patched bugs
## Over 2,000 Palo Alto firewalls hacked using recently patched bugs
## Sergiu Gatlan
Hackers have already compromised thousands of Palo Alto Networks firewalls in attacks exploiting two recently patched zero-day vulnerabilities.
The two security flaws are an authentication bypass ( CVE-2024-0012 ) in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges and a PAN-OS privilege escalation ( CVE-2024-9474 ) that helps them run commands on the firewall with root privileges.
While CVE-2024-9474 was disclosed this Monday, the company first warned customers on November 8 to restrict access to their next-generation firewalls because of a potential RCE flaw (which was tagged last Friday as CVE-2024-0012 ).
Palo Alto Networks is still investigat
Bleepingcomputer
Palo Alto Networks patches two firewall zero-days used in attacks
blogs_bleepingcomputer·2024-11-18·CVSS 9.3
CVE-2024-0012 [CRITICAL] Palo Alto Networks patches two firewall zero-days used in attacks
## Palo Alto Networks patches two firewall zero-days used in attacks
## Sergiu Gatlan
Palo Alto Networks has finally released security updates for two actively exploited zero-day vulnerabilities in its Next-Generation Firewalls (NGFW).
The first flaw, tracked as CVE-2024-0012 , is an authentication bypass found in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges without requiring authentication or user interaction.
The second one ( CVE-2024-9474 ) is a PAN-OS privilege escalation security flaw that allows malicious PAN-OS administrators to perform actions on the firewall with root privileges.
While CVE-2024-9474 was disclosed today, the company first warned customers on November 8 to restrict access to their next-generation firewal
Bleepingcomputer
CISA warns of more Palo Alto Networks bugs exploited in attacks
blogs_bleepingcomputer·2024-11-14·CVSS 9.9
CVE-2024-9463 [CRITICAL] CISA warns of more Palo Alto Networks bugs exploited in attacks
## CISA warns of more Palo Alto Networks bugs exploited in attacks
## Sergiu Gatlan
CISA warned today that two more critical security vulnerabilities in Palo Alto Networks' Expedition migration tool are now actively exploited in the wild.
Attackers can use the two unauthenticated command injection ( CVE-2024-9463 ) and SQL injection ( CVE-2024-9465 ) vulnerabilities to hack into unpatched systems running the company's Expedition migration tool, which helps migrate configurations from Checkpoint, Cisco, and other supported vendors.
While CVE-2024-9463 allows attackers to run arbitrary OS commands as root, exposing usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls, the second flaw can be exploited to access Expedition database contents (includ
Bleepingcomputer
Palo Alto Networks warns of potential PAN-OS RCE vulnerability
blogs_bleepingcomputer·2024-11-08
Palo Alto Networks warns of potential PAN-OS RCE vulnerability
## Palo Alto Networks warns of potential PAN-OS RCE vulnerability
## Sergiu Gatlan
Today, cybersecurity company Palo Alto Networks warned customers to restrict access to their next-generation firewalls because of a potential remote code execution vulnerability in the PAN-OS management interface.
In a security advisory published on Friday, the company said it doesn't yet have additional information regarding this alleged security flaw (tracked internally as PAN-SA-2024-0015) and added that it has yet to detect signs of active exploitation.
"Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface. At this time, we do not know the specifics of the claimed vulnerability. We are actively monitoring for signs of any exploitation," i
Bleepingcomputer
CISA warns of critical Palo Alto Networks bug exploited in attacks
blogs_bleepingcomputer·2024-11-07·CVSS 9.3
CVE-2024-5910 [CRITICAL] CISA warns of critical Palo Alto Networks bug exploited in attacks
## CISA warns of critical Palo Alto Networks bug exploited in attacks
## Sergiu Gatlan
Today, CISA warned that attackers are exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS.
This security flaw, tracked as CVE-2024-5910, was patched in July , and threat actors can remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.
"Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data," CISA says .
While the cybersecurity agency
Bleepingcomputer
Palo Alto Networks warns of firewall hijack bugs with public exploit
blogs_bleepingcomputer·2024-10-09·CVSS 9.3
[CRITICAL] Palo Alto Networks warns of firewall hijack bugs with public exploit
## Palo Alto Networks warns of firewall hijack bugs with public exploit
## Sergiu Gatlan
Palo Alto Networks warned customers today to patch security vulnerabilities (with public exploit code) that can be chained to let attackers hijack PAN-OS firewalls.
The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors.
They can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts.
"Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system," the company said in an advisory publishe
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-07-10
Published
2024-11-07
Added to CISA KEV
Exploited in the wild