The US Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that two more flaws affecting Palo Alto Networks Expedition have been actively exploited in the wild.
Before that there is added vulnerabilities of its known vulnerabilities used (KEV) directory that requires Federal Civilian Executive Branch (FCEB) agencies to apply required updates by December 5, 2024.
The security flaws are listed below –
- CVE-2024-9463 (CVSS Score: 9.9) – Palo Alto Networks Expedition OS command implementation vulnerability
- CVE-2024-9465 (CVSS Score: 9.3) – SQL injection vulnerability in Palo Alto Networks Expedition
Successful exploitation of the vulnerabilities could allow an unauthenticated attacker to execute arbitrary OS commands as root in the Expedition migration tool or to expose the contents of its database.
This can then open the way to reveal usernames, plaintext passwords, device configurations, and device API keys of PAN-OS firewalls, or to create and read arbitrary files on a vulnerable system.
Palo Alto Networks addressed these flaws in the security updates released on October 9, 2024. Since then the company revised its original recommendation to acknowledge that it was “aware of reports from CISA that there was evidence of active use of CVE-2024-9463 and CVE-2024-9465.”
However, not much is known about how these vulnerabilities are exploited, by whom, and how widespread these attacks are.
The development also came a week after CISA was notified active exploitation of CVE-2024-5910 (CVSS score: 9.3), another critical flaw affecting Expedition.
Palo Alto Networks confirms that the new flaw is under limited attack
Since then, so has Palo Alto Networks confirmed that it discovered an unauthenticated remote command execution vulnerability used against a small subset of firewall management interfaces exposed to the Internet, urging customers to protect them.
“Palo Alto Networks has observed a threat exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces exposed to the Internet,” it said. added.
The company, which investigates the malicious activity and assigned the vulnerability a CVSS score of 9.3 (without a CVE identifier), also said it is “preparing to release fixes and threat prevention signatures as soon as possible.”
