cbcvebase.
CVE-2024-9465
published 2024-10-09

CVE-2024-9465: An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password…

PriorityP198critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-05
Exploited in the wild
EPSS
99.60%
99.9th percentile
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

Affected

5 ranges
VendorProductVersion rangeFixed in
palo_alto_networksexpedition>= 1.2.0 < 1.2.961.2.96
paloaltopan-os
paloaltopanorama
paloaltoprisma_access
paloaltonetworksexpedition>= 1.2.0 < 1.2.961.2.96

Detection & IOCsextracted from sources · hover to see the quote

path/bin/configurations/parsers/Checkpoint/CHECKPOINT.php
commandaction=import&type=test&project=pandbRBAC&signatureid=1%20AND%20(SELECT%201234%20FROM%20(SELECT(SLEEP(6)))test)
commandaction=get&type=existing_ruleBases&project=pandbRBAC
othershodan:http.favicon.hash:1499876150
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palto Alto Expedition Unauthenticated SQL Injection in Checkpoint Config Parser (CVE-2024-9465)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bin/configurations/parsers/Checkpoint/CHECKPOINT.php"; fast_pattern; http.request_body; content:"action|3d|import"; content:"signatureid|3d|"; pcre:"/^[^\x26]*(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)?/i"; reference:url,www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/; reference:cve,2024-9465; classtype:web-application-attack; sid:2056642; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_10, cve CVE_2024_9465, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_10_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect exploitation attempts by monitoring for unauthenticated POST requests to /bin/configurations/parsers/Checkpoint/CHECKPOINT.php with body parameters action=import and signatureid containing SQL time-based blind injection payloads (e.g., SLEEP()).
  • Use the Nuclei template's two-step flow: first confirm the endpoint is live by checking for 'ruleBasesNames' in the response body to a GET-type probe, then send the time-based SQLi payload and flag if response duration >= 6 seconds.
  • Identify exposed Expedition instances via Shodan using favicon hash 1499876150 to scope detection and hunting efforts.
  • The Snort/ET rule (sid:2056642) inspects POST body for 'action=import' and 'signatureid=' combined with SQL keywords (SELECT, UNION, INSERT, DELETE, UPDATE, SHOW) via PCRE to catch a broad range of SQLi payloads against this endpoint.
  • CVE-2024-9465 is actively exploited in the wild and listed in CISA KEV; prioritize detection on internet-exposed Expedition instances and alert on any unauthenticated access to the vulnerable CHECKPOINT.php endpoint.
  • CVE-2024-9465 can be chained with CVE-2024-5910 (missing authentication, admin credential reset) and CVE-2024-9464 (authenticated command injection) to achieve full unauthenticated RCE as root; monitor for sequential exploitation of these endpoints.
  • ·The vulnerability only affects Palo Alto Networks Expedition versions prior to 1.2.96; it does not affect PAN-OS firewalls, Panorama, Prisma Access, or Cloud NGFW.
  • ·The Nuclei template uses a time-based blind SQLi detection method with a 6-second sleep threshold; tuning the timeout threshold may be necessary in high-latency environments to avoid false negatives or false positives.
  • ·The ET Snort rule (sid:2056642) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect HTTPS traffic to Expedition; without SSL inspection the rule will not fire on encrypted sessions.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber
vulncheck9.2CRITICAL
cisa9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.