cbcvebase.
CVE-2024-9464
published 2024-10-09

CVE-2024-9464: An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition…

PriorityP267medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
81.71%
99.6th percentile
An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Affected

5 ranges
VendorProductVersion rangeFixed in
palo_alto_networksexpedition>= 1.2.0 < 1.2.961.2.96
paloaltopan-os
paloaltopanorama
paloaltoprisma_access
paloaltonetworksexpedition>= 1.2.0 < 1.2.961.2.96

Detection & IOCsextracted from sources · hover to see the quote

path/OS/startup/restore/restoreAdmin.php
path/bin/CronJobs.php
versionPalo Alto Expedition <= 1.2.91
  • CVE-2024-9464 is an authenticated OS command injection that executes commands as root (or www-data in default installs). Chain detection: look for CVE-2024-5910 admin password reset followed immediately by authenticated command injection requests to Expedition HTTP endpoints.
  • Alert on unexpected access or modification of restoreAdmin.php, which is the endpoint leveraged by CVE-2024-5910 to reset admin credentials as part of the exploit chain leading to CVE-2024-9464 command injection.
  • Monitor Expedition systems for OS-level processes spawned by www-data or root that are unusual (e.g., shells, curl, wget), as successful CVE-2024-9464 exploitation runs arbitrary OS commands in those contexts.
  • Use Cortex Xpanse / Cortex XSIAM ASM module to identify internet-exposed Expedition instances; the 'Palo Alto Networks Firewall Admin Login' attack surface rule can surface exposed management interfaces.
  • ·CVE-2024-9464 requires authentication (PR:L), but becomes effectively unauthenticated when chained with CVE-2024-5910, which resets the admin password. Detections must account for both the standalone authenticated path and the chained unauthenticated path.
  • ·These vulnerabilities do not affect PAN-OS firewalls, Panorama, Prisma Access, or Cloud NGFW directly — only the Expedition migration tool itself is the attack surface.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.