The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added A critical security flaw affecting Palo Alto Networks’ expedition to its known vulnerabilities is now fixed (KEV) catalog with reference to evidence of active operation.
Vulnerability, tracked as CVE-2024-5910 (CVSS Score: 9.3), addresses a case of missing authentication in the Expedition migration tool, which could lead to the hijacking of the administrator account.
“Palo Alto Expedition contains a missing authentication vulnerability that could allow an attacker with network access to hijack an Expedition administrator account and potentially gain access to configuration secrets, credentials, and other data,” the CISA alert said.
The flaw affects all versions of Expedition up to version 1.2.92, which was released in July 2024 to fix the problem.
There are currently no reports of this vulnerability being used in actual attacks, but Palo Alto Networks has since revised in its original recommendation to acknowledge that it “is aware of CISA’s reports that there is evidence of active exploitation.”
Two other vulnerabilities were also added to the KEV directory, including an elevation of privilege vulnerability in an Android Framework component (CVE-2024-43093), which Google disclosed this week as “limited targeted exploitation”.
Another security flaw CVE-2024-51567 (CVSS Score: 10.0), a critical flaw affecting CyberPanel that allows a remote, unauthenticated attacker execute commands as root. The issue was resolved in version 2.3.8.
In late October 2023, it was discovered that the vulnerability was being used extensively by attackers to deploy PSAUX ransomware on more than 22,000 CyberPanel instances exposed on the Internet. LeakIX and a security researcher who uses an online pseudonym Gi7w0rm.
LeakIX too noted that three different ransomware groups quickly exploited the vulnerability, in some cases encrypting files multiple times.
Federal Civil Enforcement Agencies (FCEB) have been advised to address the identified vulnerabilities by November 28, 2024 to protect their networks from active threats.
