A critical vulnerability (CVE-2024-5910) in the Palo Alto Networks Expedition firewall configuration migration tool is being exploited in the wild, according to the Cybersecurity and Infrastructure Security Agency (CISA). The bug allows attackers with network access to take control of an Expedition admin account.
Synopsys Cybersecurity Research Center researcher Brian Hysell discovered the vulnerability, which can be exploited by sending a simple request to an exposed endpoint to reset the admin password. This led to further discoveries of additional vulnerabilities, including authenticated command injection, unauthenticated SQL injection, and cleartext credentials in logs.
Palo Alto Networks has released security updates for these issues in July 2024 and October 2024. However, proof-of-concept exploit code is publicly accessible, indicating that the vulnerability can be chained with CVE-2024-5910 to achieve arbitrary command execution on vulnerable servers.
To protect against exploitation, users are advised to upgrade their Expedition installation to a fixed version and restrict network access. They should also rotate all usernames, passwords, and API keys, as well as firewall usernames, passwords, and API keys processed by Expedition.
Source: https://www.helpnetsecurity.com/2024/11/08/cve-2024-5910