CVE-2024-9464
published 2024-10-09CVE-2024-9464: An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition…
PriorityP267medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
81.71%
99.6th percentile
An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | expedition | >= 1.2.0 < 1.2.96 | 1.2.96 |
| paloalto | pan-os | — | — |
| paloalto | panorama | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | expedition | >= 1.2.0 < 1.2.96 | 1.2.96 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-9464 is an authenticated OS command injection that executes commands as root (or www-data in default installs). Chain detection: look for CVE-2024-5910 admin password reset followed immediately by authenticated command injection requests to Expedition HTTP endpoints. ↗
- →Alert on unexpected access or modification of restoreAdmin.php, which is the endpoint leveraged by CVE-2024-5910 to reset admin credentials as part of the exploit chain leading to CVE-2024-9464 command injection. ↗
- →Monitor Expedition systems for OS-level processes spawned by www-data or root that are unusual (e.g., shells, curl, wget), as successful CVE-2024-9464 exploitation runs arbitrary OS commands in those contexts. ↗
- →Use Cortex Xpanse / Cortex XSIAM ASM module to identify internet-exposed Expedition instances; the 'Palo Alto Networks Firewall Admin Login' attack surface rule can surface exposed management interfaces. ↗
- ·CVE-2024-9464 requires authentication (PR:L), but becomes effectively unauthenticated when chained with CVE-2024-5910, which resets the admin password. Detections must account for both the standalone authenticated path and the chained unauthenticated path. ↗
- ·These vulnerabilities do not affect PAN-OS firewalls, Panorama, Prisma Access, or Cloud NGFW directly — only the Expedition migration tool itself is the attack surface. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials
vendor_paloalto·2024-10-09·CVSS 9.9
[CRITICAL] CWE-532 PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials
PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials
Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system. Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. These issues do not affect the firewalls, Panorama, Prisma Access, or Cloud NGFW. CVE CVSS Summary CVE-2024-9463 9.9 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N ) An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as roo
GHSA
GHSA-r7wf-fpff-w68q: An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedi
ghsa_unreviewed·2024-10-09
CVE-2024-9464 [CRITICAL] CWE-78 GHSA-r7wf-fpff-w68q: An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedi
An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
Suricata
ET WEB_SPECIFIC_APPS Palo Alto Expedition Authenticated Command Injection via Cronjobs (CVE-2024-9464)
suricata·2024-10-10·CVSS 9.3
CVE-2024-9464 [CRITICAL] ET WEB_SPECIFIC_APPS Palo Alto Expedition Authenticated Command Injection via Cronjobs (CVE-2024-9464)
ET WEB_SPECIFIC_APPS Palo Alto Expedition Authenticated Command Injection via Cronjobs (CVE-2024-9464)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto Expedition Authenticated Command Injection via Cronjobs (CVE-2024-9464)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bin/CronJobs.php"; fast_pattern; http.cookie; content:"PHPSESSID|3d|"; http.request_body; content:"action|3d|set"; content:"start_time|3d|"; pcre:"/^[^&]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x26|%26)|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))/R"; reference:url,www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/; reference:cve,2024-9464; classtype:web-application-attack; sid:2056641; rev:1; metadata:affected_product Palo_Alto_Ne
Bleepingcomputer
CISA warns of more Palo Alto Networks bugs exploited in attacks
blogs_bleepingcomputer·2024-11-14·CVSS 9.9
CVE-2024-9463 [CRITICAL] CISA warns of more Palo Alto Networks bugs exploited in attacks
## CISA warns of more Palo Alto Networks bugs exploited in attacks
## Sergiu Gatlan
CISA warned today that two more critical security vulnerabilities in Palo Alto Networks' Expedition migration tool are now actively exploited in the wild.
Attackers can use the two unauthenticated command injection ( CVE-2024-9463 ) and SQL injection ( CVE-2024-9465 ) vulnerabilities to hack into unpatched systems running the company's Expedition migration tool, which helps migrate configurations from Checkpoint, Cisco, and other supported vendors.
While CVE-2024-9463 allows attackers to run arbitrary OS commands as root, exposing usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls, the second flaw can be exploited to access Expedition database contents (includ
Bleepingcomputer
Palo Alto Networks warns of potential PAN-OS RCE vulnerability
blogs_bleepingcomputer·2024-11-08
Palo Alto Networks warns of potential PAN-OS RCE vulnerability
## Palo Alto Networks warns of potential PAN-OS RCE vulnerability
## Sergiu Gatlan
Today, cybersecurity company Palo Alto Networks warned customers to restrict access to their next-generation firewalls because of a potential remote code execution vulnerability in the PAN-OS management interface.
In a security advisory published on Friday, the company said it doesn't yet have additional information regarding this alleged security flaw (tracked internally as PAN-SA-2024-0015) and added that it has yet to detect signs of active exploitation.
"Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface. At this time, we do not know the specifics of the claimed vulnerability. We are actively monitoring for signs of any exploitation," i
Bleepingcomputer
CISA warns of critical Palo Alto Networks bug exploited in attacks
blogs_bleepingcomputer·2024-11-07·CVSS 9.3
CVE-2024-5910 [CRITICAL] CISA warns of critical Palo Alto Networks bug exploited in attacks
## CISA warns of critical Palo Alto Networks bug exploited in attacks
## Sergiu Gatlan
Today, CISA warned that attackers are exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS.
This security flaw, tracked as CVE-2024-5910, was patched in July , and threat actors can remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.
"Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data," CISA says .
While the cybersecurity agency
Wiz
Crying Out Cloud - November 2024 Newsletter | Wiz
blogs_wiz·2024-11-01·CVSS 7.2
[HIGH] Crying Out Cloud - November 2024 Newsletter | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Supply Chain Attack on lottie-player
On October 30, 2024, a supply chain attack was initiated against the popular JavaScript library lottie-player, injecting malicious code that populates a Web3 wallet connection prompt on legitimate websites using the library, potentially targeting prominent cryptocurrency platforms and other high-traffic websites. The compromised versions of lottie-player were later removed from major CDNs and npm, but websites still using compromised versions of the library remain affected.
Wiz
3 Critical CVEs in Palo Alto Networks Expedition | Wiz Blog
blogs_wiz·2024-10-10·CVSS 9.9
CVE-2024-9463 [CRITICAL] 3 Critical CVEs in Palo Alto Networks Expedition | Wiz Blog
Palo Alto Networks’ Expedition tool contains multiple critical vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467), including OS command injection, SQL injection, cleartext storage of sensitive information, and cross-site scripting (XSS). These issues, with CVSS scores reaching 9.9, expose systems running Expedition to unauthorized access, credential theft, and administrative takeover. Exploitation requires minimal complexity and no user interaction, posing a critical risk to systems unless addressed promptly.
## What are these vulnerabilities?
Expedition is a tool designed to help the migration process of configurations from supported vendors to Palo Alto Networks systems. Expedition allows users to convert configurations from vendors like Checkpo
Wiz
3 Critical CVEs in Palo Alto Networks Expedition | Wiz Blog
blogs_wiz·2024-10-10·CVSS 9.9
CVE-2024-9463 [CRITICAL] 3 Critical CVEs in Palo Alto Networks Expedition | Wiz Blog
Palo Alto Networks’ Expedition tool contains multiple critical vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467), including OS command injection, SQL injection, cleartext storage of sensitive information, and cross-site scripting (XSS). These issues, with CVSS scores reaching 9.9, expose systems running Expedition to unauthorized access, credential theft, and administrative takeover. Exploitation requires minimal complexity and no user interaction, posing a critical risk to systems unless addressed promptly.
# What are these vulnerabilities?
Expedition is a tool designed to help the migration process of configurations from supported vendors to Palo Alto Networks systems. Expedition allows users to convert configurations from vendors like Checkpoi
Bleepingcomputer
Palo Alto Networks warns of firewall hijack bugs with public exploit
blogs_bleepingcomputer·2024-10-09·CVSS 9.3
[CRITICAL] Palo Alto Networks warns of firewall hijack bugs with public exploit
## Palo Alto Networks warns of firewall hijack bugs with public exploit
## Sergiu Gatlan
Palo Alto Networks warned customers today to patch security vulnerabilities (with public exploit code) that can be chained to let attackers hijack PAN-OS firewalls.
The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors.
They can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts.
"Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system," the company said in an advisory publishe
2024-10-09
Published