CISA reports active exploitation of flaw in Palo Alto Expedition migration tool
Take action: If you still haven't patched your Palo Alto Networks Expedition migration, no time like the present. The Expedition migration tool is being actively attacked. Don't wait till you are hacked.
Learn More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of active exploitation of a critical vulnerability in Palo Alto Networks’ Expedition migration tool, tracked as CVE-2024-5910, patched in July 2024. The vulnerability allows attackers to take over admin accounts remotely, potentially enabling further exploitation through command injection vulnerabilities.
In October, security researcher Zach Hanley released a proof-of-concept exploit that combines CVE-2024-5910 with CVE-2024-9464, a command injection flaw patched in October, for unauthorized command execution on affected servers.
Recent reports confirm that malicious actors are exploiting it in the wild.
U.S. federal agencies are required to secure vulnerable systems, with a deadline set by CISA for November 28, 2024. Although the directive specifically applies to federal agencies, CISA strongly encourages all organizations using Expedition to immediately patch the vulnerability to prevent exploitation.
For organizations that cannot apply security patches immediately, CISA and Palo Alto Networks recommend limiting Expedition network access strictly to authorized users or specific networks, and after the patch update to rotate all Expedition usernames, passwords, and API keys. This also includes any credentials processed by Expedition that are used within the organization’s firewalls.
