CISA reports additional flaws actively exploited in Palo Alto Networks' Expedition migration tool

CISA has issued a critical alert regarding multiple actively exploited vulnerabilities in Palo Alto Networks' Expedition migration tool. The tool, which is designed to facilitate configuration migrations from various vendors like Checkpoint and Cisco, has been found to contain several severe security flaws that are currently being exploited by threat actors.

These vulnerabilities in addition to the earlier reported exploted CVE-2024-5910 and CVE-2024-9464 that's chained with 5910:

• CVE-2024-9463 (CVSS score 9.9) - An unauthenticated command injection vulnerability allowing execution of arbitrary OS commands with root privileges
• CVE-2024-9465 (CVSS score 9.3) - A SQL injection vulnerability enabling unauthorized access to the Expedition database
• Additionally, Palo Alto Networks has confirmed the discovery of a new unauthenticated remote command execution vulnerability (CVSS score 9.3, no CVE assigned yet) that is being actively exploited against a limited number of internet-exposed firewall management interfaces. The company is currently investigating this threat and preparing to release fixes and threat prevention signatures.

Exploitation of these vulnerabilities can lead to exposure of usernames and cleartext passwords, access to device configurations, compromise of device API keys for PAN-OS firewalls, ability to create and read arbitrary files on vulnerable systems, potential takeover of firewall admin accounts/

Palo Alto Networks has released security updates in Expedition 1.2.96 and later versions to address these vulnerabilities.

For organizations unable to implement immediate updates, Palo Alto Networks recommends restricting network access to the Expedition tool to only authorized users, hosts, or networks as a temporary mitigation measure.