A missing authentication flaw in Palo Alto Networks’ Expedition tool now jeopardizes firewall configurations across sectors, with attackers actively exploiting this vulnerability in the wild.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert regarding an actively exploited vulnerability in Palo Alto Networks’ Expedition tool. This flaw, labeled CVE-2024-5910, poses a critical threat by allowing attackers to take over administrative accounts, putting configuration secrets and credentials at risk.
Expedition’s widespread usage in firewall migration and management makes the vulnerability particularly concerning for organizations relying on this tool for seamless transitions from other firewalls to Palo Alto’s PAN-OS.
Also read: Palo Alto Networks Warns Customers of Actively-Exploited PAN-OS vulnerability
Although Palo Alto Networks released a patch in July, exploitation is now observed, urging immediate remediation for any organization using Expedition versions below 1.2.92.
The Expedition Vulnerability
CVE-2024-5910 represents a missing authentication vulnerability in the Expedition tool, enabling attackers with network access to assume control of the admin account. This exploit opens a gateway to sensitive data such as configuration details, credentials, and other critical information. With a CVSSv4.0 base score of 9.3, this flaw ranks as critical, posing significant risks to both enterprise and federal environments.
Only Expedition versions below 1.2.92 are susceptible, and organizations using older versions face potential exposure until they implement the recommended upgrade.
Also read: Patch Now! Critical Flaw Found in Palo Alto Networks Expedition Migration Tool
Technical Details of Expedition Vulnerability
- Vulnerability ID: CVE-2024-5910 (Missing Authentication for Critical Function)
- Severity Level: Critical (CVSSv4.0 Score: 9.3)
- Affected Versions: Expedition versions below 1.2.92
- Unaffected Versions: Expedition 1.2.92 and newer
- Impact: Admin account takeover, unauthorized access to configuration secrets, potential firewall control
Exploitation in the Wild
The risk associated with CVE-2024-5910 likely escalated following the release of a proof-of-concept (PoC) exploit by security researcher Zach Hanley from Horizon3.ai in October. This PoC demonstrated how CVE-2024-5910 could be combined with another vulnerability, CVE-2024-9464—a command injection flaw—to enable remote, arbitrary command execution on vulnerable systems. By chaining these exploits, attackers gain the ability to reset admin credentials and potentially take control of PAN-OS firewall configurations.
This compounded risk has heightened concerns as attackers can exploit Expedition’s missing authentication and reset vulnerabilities, offering them unauthorized access to sensitive network resources.
CISA Adds CVE-2024-5910 to KEV Catalog
To underscore the critical nature of this flaw, CISA on Thursday added CVE-2024-5910 to its Known Exploited Vulnerabilities (KEV) Catalog. This inclusion mandates all U.S. federal agencies to secure vulnerable Expedition servers by November 28, emphasizing the federal government’s priority to address known and actively exploited vulnerabilities.
The CVE-2024-5910 vulnerability exemplifies the ongoing challenge of securing essential network management tools. This flaw, particularly due to its integration with critical firewall migration software, emphasizes the need for immediate and proactive vulnerability management. Regular patching, stringent credential rotation, and restricted network access remain essential defenses against exploits like these.
With CISA closely monitoring this threat, addressing CVE-2024-5910 serves not only as regulatory compliance but as a vital security measure. Updating Expedition to the latest version and adhering to security best practices strengthens organizational resilience against similar vulnerabilities, helping prevent unauthorized access and safeguard sensitive network configurations.
