Date of Disclosure: July 10, 2024
Date Added to CISA KEV: October 7, 2024
CVE-2024-5910 is a critical vulnerability in Palo Alto Networks Expedition versions before 1.2.92 that potentially allows unauthenticated attackers with network access to gain control of an Expedition administrator account. This unauthorized access could lead to the exposure of configuration secrets, credentials, and other sensitive data stored within Expedition. Palo Alto Networks assigned this vulnerability a CVSS score of 9.3.
Expedition is a migration and configuration management tool used to convert configurations for various other firewall vendors into Palo Alto Networks’ PAN-OS. Due to its handling of sensitive network configuration data, exploitation of Expedition could result in further compromises across an organization’s network.
Example Expedition Login Interface
Threat actors exploiting CVE-2024-5910 can gain control over Expedition admin accounts, reset credentials, and potentially access or exfiltrate data stored in the tool. Additionally, this vulnerability can be chained with CVE-2024-9464, an authenticated command injection vulnerability in Expedition, allowing attackers to escalate from an initial compromise to unauthenticated remote code execution (RCE).
Organizations using Expedition, particularly in internet-exposed environments, should review their security configurations immediately and patch their instances if possible. Network administrators can utilize the Censys search query provided below to help track exposed Expedition instances.
| Field |
Details |
| CVE-ID |
CVE-2024-5910 – CVSS 9.3 (Critical) assigned by Palo Alto Networks |
| Vulnerability Description |
Missing authentication in a critical function within Expedition allows unauthorized admin account takeover. |
| Date of Disclosure |
July 10, 2024 |
| Affected Assets |
Palo Alto Networks Expedition |
| Vulnerable Software Versions |
All versions before 1.2.92 |
| PoC Available? |
Yes, a PoC is available on GitHub demonstrating how this CVE can be chained with CVE-2024-9464 to achieve RCE |
| Exploitation Status |
Active exploitation observed; CISA added CVE-2024-5910 to its KEV catalog on November 7, 2024. GreyNoise has not observed CVE-2024-5910 account takeover attempts on its sensors in the past 30 days. |
| Patch Status |
A patch is available in version 1.2.92. Please refer to Palo Alto Networks’ advisory for patch instructions. |
Censys Perspective
Censys has identified 45 publicly exposed Expedition instances. Note that not all of these are necessarily vulnerable, as specific device versions are not available.
It is recommended that organizations limit public internet exposure of their Expedition tool interface and secure it behind strong network access controls.
Due to the relatively small number of affected devices exposed online, Censys will not publicly share queries for Expedition exposures at this time.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-5910
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-palo-alto-networks-bug-exploited-in-attacks/
- https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise
- https://security.paloaltonetworks.com/CVE-2024-5910
- https://security.paloaltonetworks.com/PAN-SA-2024-0010
