A critical Palo Alto Networks bug is being hit by cyber attacks, so patch now
- A bug that Palo Alto tackled last summer is being exploited in the wild
- CISA added it to its KEV catalog, giving federal agencies a deadline to patch
- The bug can be exploited to take over accounts and steal data
The US government has warned that a critical bug in Palo Alto Networks’ expedition program is being exploited in the wild.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-5910 to its Known Exploited Vulnerabilities (KEV) catalog, meaning there is evidence of exploitation in the wild.
This vulnerability, discovered during Expedition in summer 2023, is described as a “missing authentication for a critical function” bug, which could lead to the takeover of Expedition administrator accounts by scammers with network access. Because Expedition is a tool that helps migrate, tune, and enrich configurations, it may contain secrets, credentials, and other data, which are then at risk of being stolen.
Proof of concept
Users are advised to apply a patch immediately as the vulnerability allows cybercriminals to take over administrative accounts, steal sensitive data and more.
When CISA adds a vulnerability to KEV, it gives federal agencies a deadline to patch it or shut down affected applications entirely. The expiration date for Palo Alto Networks Expedition is November 28, 2024.
CISA has not shared any further details about the attacks, but BleepingComputer unearthed a report from Horizon3.ai, which released a proof-of-concept exploit in October 2024. By linking the bug to CVE-2024-9464, criminals were able to gain unauthenticated arbitrary command execution capabilities on vulnerable Expedition servers.
This additional vulnerability was also discovered and resolved last month. Palo Alto Networks said it could have been used to take over administrative accounts in firewalls, as well as PAN-OS instances.
For those unable to install the patch immediately, a workaround is available, restricting access to the Expedition Network to authorized users, hosts and networks only.
“All Expedition usernames, passwords, and API keys must be rotated after upgrading to the fixed version of Expedition. All firewall usernames, passwords, and API keys processed by Expedition must be rotated after updating,” Palo concluded Alto Networks.
Via BleepingComputer