InfoSecBulletin Cybersecurity for mankind
Palo Alto Networks released a security advisory (PAN-SA-2024-0010) about several high-severity vulnerabilities in its Expedition migration tool, with CVSS scores between 7.0 and 9.9. Exploiting these flaws could allow attackers to take over firewall admin accounts and access sensitive information like usernames, cleartext passwords, and API keys for PAN-OS firewalls.
The vulnerabilities found in Expedition are serious, particularly for organizations using Palo Alto Networks firewalls. They include OS command injection, SQL injection, and storing sensitive information in cleartext, allowing attackers to gain root access and steal confidential data.
Check Point said BreachForum post old data
Apple Warns of 3 Zero Day Vulns Actively Exploited
24,000 unique IP attempted to access Palo Alto GlobalProtect portals
CVE-2025-1268
Patch urgently! Canon Fixes Critical Printer Driver Flaw
Within Minute, RamiGPT To Escalate Privilege Gaining Root Access
Australian fintech database exposed in 27000 records
Over 200 Million Info Leaked Online Allegedly Belonging to X
FBI investigating cyberattack at Oracle, Bloomberg News reports
OpenAI Offering $100K Bounties for Critical Vulns
Splunk Alert User RCE and Data Leak Vulns
CVE-2024-9463 (CVSS 9.9): A vulnerability that allows an attacker to run commands on the operating system as an admin, exposing sensitive information like usernames and passwords.
CVE-2024-9464 (CVSS 9.3): A related OS command injection vulnerability that requires authentication and lets attackers run commands as root.
CVE-2024-9465 (CVSS 9.2): An SQL injection flaw that lets attackers access Expedition’s database, exposing passwords and usernames.
CVE-2024-9466 (CVSS 8.2): A vulnerability that allows storing firewall usernames and passwords in an unprotected format, creating a serious risk if not addressed.
CVE-2024-9467 (CVSS 7.0): A reflected XSS vulnerability that lets attackers run harmful JavaScript through phishing attacks.
Palo Alto Networks has released version 1.2.96 of Expedition to fix vulnerabilities. Users are advised to change all usernames, passwords, and API keys after updating. It’s also recommended to restrict network access to authorized users to reduce exposure risk.
The company acknowledged researchers from Horizon3.ai and Palo Alto Networks who reported these vulnerabilities. Despite the severity of these issues, Palo Alto Networks states that they are “not aware of any malicious exploitation of these issues.”
Organizations utilizing Palo Alto Networks Expedition must promptly upgrade to version 1.2.96 or a later release and thoroughly rotate all pertinent credentials. Neglecting this crucial step may expose critical systems to unauthorized access. Additionally, administrators aiming to identify potential compromises related to CVE-2024-9465 can refer to the advisory for the following indicator of compromise (IoC) command:
mysql -uroot -p -D pandb -e “SELECT * FROM cronjobs;”
If this command returns records, it may indicate a compromise of the system. However, Palo Alto Networks advises that this does not guarantee that a system is free from compromise if no records are returned.
