Palo Alto Networks’ Expedition tool contains multiple critical vulnerabilities (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467), including OS command injection, SQL injection, cleartext storage of sensitive information, and cross-site scripting (XSS). These issues, with CVSS scores reaching 9.9, expose systems running Expedition to unauthorized access, credential theft, and administrative takeover. Exploitation requires minimal complexity and no user interaction, posing a critical risk to systems unless addressed promptly.
What are these vulnerabilities?
Expedition is a tool designed to help the migration process of configurations from supported vendors to Palo Alto Networks systems. Expedition allows users to convert configurations from vendors like Checkpoint, Cisco, or others to PAN-OS.
The identified vulnerabilities in Expedition include several OS command injection flaws (CVE-2024-9463 and CVE-2024-9464), enabling attackers—both authenticated and unauthenticated—to run arbitrary OS commands as root. This exposure allows access to sensitive data such as firewall credentials and API keys. Additionally, the SQL injection vulnerability (CVE-2024-9465) permits unauthenticated attackers to access Expedition’s database and retrieve critical information like password hashes and configuration details, with the potential to write arbitrary files to the system. Furthermore, CVE-2024-9466 reveals sensitive information in cleartext logs, and CVE-2024-9467 allows reflected XSS, which attackers can exploit to steal user sessions or perform phishing attacks. All vulnerabilities combined represent a substantial threat that requires urgent patching and securing of Expedition instances.
| CVE | Type | CVSS |
|---|---|---|
| CVE-2024-9463 | OS command injection | 9.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N) |
| CVE-2024-9464 | OS command injection | 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N) |
| CVE-2024-9465 | SQL injection | 9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N) |
| CVE-2024-9466 | Cleartext storage of sensitive information | 8.2 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N) |
| CVE-2024-9467 | Reflected XSS | 7.0 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N) |
Wiz Research data: what’s the risk to cloud environments?
According to Wiz data this product is not prevalent in cloud environments, in fact it appears to be exposed to the internet in less than 1% of cloud environments. In addition, 3rd party internet scanning service FOFA found only 106 exposed servers worldwide.
Which products are affected?
All versions of Expedition below 1.2.96 are affected.
Which actions should security teams take?
It is recommended to upgrade to Expedition version 1.2.96 or later. This version addresses all identified vulnerabilities.
The following mitigation steps can be taken to minimize risk of exploitation:
Access Restrictions: Limit network access to Expedition systems to authorized personnel and networks only.
Rotate Credentials: Immediately after upgrading, rotate all Expedition-related usernames, passwords, and API keys, including those for firewalls and devices integrated through Expedition.
Monitor Logs and Check IoCs: Inspect access logs for HTTP requests targeting known vulnerable endpoints like
/OS/startup/restore/restoreAdmin.phpand/bin/CronJobs.phpfor signs of unauthorized activity. Additionally, run checks on the Expedition database for suspicious entries indicating potential compromises.Shutdown Unused Instances: Disable Expedition software if it is not actively in use to minimize exposure.
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.
References
