Active exploitation of critical vulnerability CVE-2024-5910 (CVSS score: 9.3), flaw stemming from missing authentication controls actively being used by attackers to potentially take over admin accounts.
Organizations using Palo Alto Networks’ Expedition migration tool are now at heightened risk due to active exploitation of a critical vulnerability identified as CVE-2024-5910 (CVSS score: 9.3). This flaw, stemming from missing authentication controls, is actively being used by attackers to potentially take over admin accounts, threatening network configurations and sensitive information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to take immediate action to mitigate this risk.
Affected products: |
Palo Alto Networks Expedition migration tool (versions prior to 1.2.92) |
Product category: |
IT Security |
Severity: |
Critical |
Type: |
Missing Authentication for Critical Function |
Impact: |
Admin account takeover, unauthorized access to configuration secrets, potential control over firewall configurations |
PoC: |
|
Exploited in the wild: |
Yes |
CISA Catalog |
|
Remediation action |
Update to Expedition version 1.2.92 or newer. Restrict management interface access to trusted IPs, isolate on a dedicated management VLAN, rotate credentials, monitor for IoCs |
MITRE advisory |
CVE-2024-5910 (CVSS score: 9.3) is a critical security vulnerability uncovered in Palo Alto Networks’ Expedition migration tool last July. This flaw, rooted in missing authentication controls, allows attackers to potentially take over admin accounts, posing serious risks to network configurations and sensitive information.
Specifically, the flaw allows attackers with network access to bypass authentication, enabling them to gain control over admin accounts. Once attackers assume admin access, they can potentially view and manipulate sensitive information, including configuration secrets and credentials, risking critical network assets. Organizations using Expedition versions below 1.2.92 are vulnerable to this exploitation in the wild unless they upgrade to the patched version released by Palo Alto Networks in July 2024.
This vulnerability can impact network security of organizations which make use of Expedition for firewall configuration and migration and are running a version older than 1.2.92. The exploitation of this flaw is particularly concerning for enterprises and federal agencies that rely on Expedition to transition and manage critical firewall configurations.
Ensuring that Expedition is upgraded to the latest version and limiting access to internal, trusted IP addresses are essential steps to mitigate risk.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged active exploitation of this vulnerability, urging organizations to take immediate action. CISA has reported active exploitation of CVE-2024-5910, adding it to its Known Exploited Vulnerabilities (KEV) catalog.
While Palo Alto Networks initially patched the vulnerability in July 2024, recent observations indicate that attackers are leveraging this flaw in ongoing campaigns. Security researcher Zach Hanley from Horizon3.ai released a proof-of-concept (PoC) exploit of CVE-2024-5910 that demonstrates how can be chained with CVE-2024-9464, a command injection flaw, to enable remote command execution.
By combining these vulnerabilities, attackers could reset admin credentials and gain unauthorized control of firewall configurations.
To protect against CVE-2024-5910, Palo Alto Networks and CISA recommend taking the following actions:
Organizations, particularly U.S. federal agencies, have been advised to complete these remediation measures by November 28, 2024, as per CISA’s directive for mitigating actively exploited vulnerabilities.
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: