CVE-2024-9463
published 2024-10-09CVE-2024-9463: An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition…
PriorityP193high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-05
Exploited in the wild
EPSS
98.42%
99.9th percentile
An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | expedition | >= 1.2.0 < 1.2.96 | 1.2.96 |
| paloalto | pan-os | — | — |
| paloalto | panorama | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | expedition | >= 1.2.0 < 1.2.96 | 1.2.96 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto Expedition Remote Code Execution (CVE-2024-9463)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/API/convertCSVtoParquet.php"; fast_pattern; nocase; http.request_body; content:"ram|3d|"; pcre:"/^.*?[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:cve,2024-9463; reference:url,x.com/watchtowrcyber/status/1844306954245767623; classtype:web-application-attack; sid:2057721; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_19, cve CVE_2024_9463, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets HTTP POST to /API/convertCSVtoParquet.php with a 'ram' parameter containing OS command injection payloads using shell metacharacters (backtick, semicolon, pipe, ampersand, newline, $)
- →Successful exploitation of CVE-2024-9463 results in the response body containing 'Undefined index: taskID', which can be used as a confirmation matcher
- →Palo Alto Expedition instances can be fingerprinted on Shodan using favicon hash 1499876150 to identify exposed attack surface
- →The vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities Catalog; monitor for unauthenticated POST requests to Expedition PHP endpoints
- ·The Snort/ET rule requires TLS decryption (SSLDecrypt) to inspect the POST body for the 'ram' parameter injection payload; without TLS inspection, the rule will not fire on HTTPS traffic
- ·The nuclei template uses out-of-band (interactsh) callback detection; the 'Undefined index: taskID' body matcher alone is not sufficient to confirm exploitation without the OOB DNS/HTTP interaction
- ·According to Wiz data, Expedition is exposed to the internet in less than 1% of cloud environments, with only 106 exposed servers found by FOFA; detection efforts should prioritize on-premises and hybrid deployments
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.9CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber
vulncheck9.9CRITICAL
cisa9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Palo Alto Networks Expedition OS Command Injection Vulnerability
cisa·2024-11-14·CVSS 9.9
CVE-2024-9463 [CRITICAL] CWE-78 Palo Alto Networks Expedition OS Command Injection Vulnerability
Vulnerability: Palo Alto Networks Expedition OS Command Injection Vulnerability
Affected: Palo Alto Networks Expedition
Palo Alto Networks Expedition contains an OS command injection vulnerability that allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://security.paloaltonetworks.com/PAN-SA-2024-0010 ; https://nvd.nist.gov/vuln/detail/CVE-2024-9463
Remediation Due Date: 2024-12-05
Palo Alto
PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials
vendor_paloalto·2024-10-09·CVSS 9.9
[CRITICAL] CWE-532 PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials
PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials
Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system. Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. These issues do not affect the firewalls, Panorama, Prisma Access, or Cloud NGFW. CVE CVSS Summary CVE-2024-9463 9.9 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N ) An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as roo
GHSA
GHSA-r2fh-mj7f-v33r: An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expe
ghsa_unreviewed·2024-10-09
CVE-2024-9463 [CRITICAL] CWE-78 GHSA-r2fh-mj7f-v33r: An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expe
An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
VulnCheck
Palo Alto Networks Expedition OS Command Injection Vulnerability
vulncheck·2024·CVSS 9.9
CVE-2024-9463 [CRITICAL] CWE-78 Palo Alto Networks Expedition OS Command Injection Vulnerability
Palo Alto Networks Expedition OS Command Injection Vulnerability
Palo Alto Networks Expedition contains an OS command injection vulnerability that allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
Affected: Palo Alto Networks Expedition
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-10-15&host_type=src&vulnerability=cve-2024-9463; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-10-16&host_type=src&vulnerability=
Suricata
ET WEB_SPECIFIC_APPS Palo Alto Expedition Remote Code Execution (CVE-2024-9463)
suricata·2024-11-19·CVSS 9.9
CVE-2024-9463 [CRITICAL] ET WEB_SPECIFIC_APPS Palo Alto Expedition Remote Code Execution (CVE-2024-9463)
ET WEB_SPECIFIC_APPS Palo Alto Expedition Remote Code Execution (CVE-2024-9463)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto Expedition Remote Code Execution (CVE-2024-9463)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/API/convertCSVtoParquet.php"; fast_pattern; nocase; http.request_body; content:"ram|3d|"; pcre:"/^.*?[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:cve,2024-9463; reference:url,x.com/watchtowrcyber/status/1844306954245767623; classtype:web-application-attack; sid:2057721; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_19, cve CVE_2024_9463, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Majo
Nuclei
PaloAlto Networks Expedition - Remote Code Execution
nuclei·CVSS 9.9
CVE-2024-9463 [CRITICAL] PaloAlto Networks Expedition - Remote Code Execution
PaloAlto Networks Expedition - Remote Code Execution
An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
Template:
id: CVE-2024-9463
info:
name: PaloAlto Networks Expedition - Remote Code Execution
author: princechaddha
severity: critical
description: |
An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
impact: |
Successful exploitatio
Bleepingcomputer
CISA warns of more Palo Alto Networks bugs exploited in attacks
blogs_bleepingcomputer·2024-11-14·CVSS 9.9
CVE-2024-9463 [CRITICAL] CISA warns of more Palo Alto Networks bugs exploited in attacks
## CISA warns of more Palo Alto Networks bugs exploited in attacks
## Sergiu Gatlan
CISA warned today that two more critical security vulnerabilities in Palo Alto Networks' Expedition migration tool are now actively exploited in the wild.
Attackers can use the two unauthenticated command injection ( CVE-2024-9463 ) and SQL injection ( CVE-2024-9465 ) vulnerabilities to hack into unpatched systems running the company's Expedition migration tool, which helps migrate configurations from Checkpoint, Cisco, and other supported vendors.
While CVE-2024-9463 allows attackers to run arbitrary OS commands as root, exposing usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls, the second flaw can be exploited to access Expedition database contents (includ
Wiz
Crying Out Cloud - November 2024 Newsletter | Wiz
blogs_wiz·2024-11-01·CVSS 7.2
[HIGH] Crying Out Cloud - November 2024 Newsletter | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Supply Chain Attack on lottie-player
On October 30, 2024, a supply chain attack was initiated against the popular JavaScript library lottie-player, injecting malicious code that populates a Web3 wallet connection prompt on legitimate websites using the library, potentially targeting prominent cryptocurrency platforms and other high-traffic websites. The compromised versions of lottie-player were later removed from major CDNs and npm, but websites still using compromised versions of the library remain affected.
Wiz
3 Critical CVEs in Palo Alto Networks Expedition | Wiz Blog
blogs_wiz·2024-10-10·CVSS 9.9
CVE-2024-9463 [CRITICAL] 3 Critical CVEs in Palo Alto Networks Expedition | Wiz Blog
Palo Alto Networks’ Expedition tool contains multiple critical vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467), including OS command injection, SQL injection, cleartext storage of sensitive information, and cross-site scripting (XSS). These issues, with CVSS scores reaching 9.9, expose systems running Expedition to unauthorized access, credential theft, and administrative takeover. Exploitation requires minimal complexity and no user interaction, posing a critical risk to systems unless addressed promptly.
## What are these vulnerabilities?
Expedition is a tool designed to help the migration process of configurations from supported vendors to Palo Alto Networks systems. Expedition allows users to convert configurations from vendors like Checkpo
Wiz
3 Critical CVEs in Palo Alto Networks Expedition | Wiz Blog
blogs_wiz·2024-10-10·CVSS 9.9
CVE-2024-9463 [CRITICAL] 3 Critical CVEs in Palo Alto Networks Expedition | Wiz Blog
Palo Alto Networks’ Expedition tool contains multiple critical vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467), including OS command injection, SQL injection, cleartext storage of sensitive information, and cross-site scripting (XSS). These issues, with CVSS scores reaching 9.9, expose systems running Expedition to unauthorized access, credential theft, and administrative takeover. Exploitation requires minimal complexity and no user interaction, posing a critical risk to systems unless addressed promptly.
# What are these vulnerabilities?
Expedition is a tool designed to help the migration process of configurations from supported vendors to Palo Alto Networks systems. Expedition allows users to convert configurations from vendors like Checkpoi
Bleepingcomputer
Palo Alto Networks warns of firewall hijack bugs with public exploit
blogs_bleepingcomputer·2024-10-09·CVSS 9.3
[CRITICAL] Palo Alto Networks warns of firewall hijack bugs with public exploit
## Palo Alto Networks warns of firewall hijack bugs with public exploit
## Sergiu Gatlan
Palo Alto Networks warned customers today to patch security vulnerabilities (with public exploit code) that can be chained to let attackers hijack PAN-OS firewalls.
The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors.
They can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts.
"Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system," the company said in an advisory publishe
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-10-09
Published
2024-11-14
Added to CISA KEV
Exploited in the wild