Palo Alto Networks warns of firewall hijack bugs with public exploit
Palo Alto Networks warned customers today to patch security vulnerabilities (with public exploit code) that can be chained to let attackers hijack PAN-OS firewalls.
The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors.
They can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts.
"Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system," the company said in an advisory published on Wednesday.
"Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls."
These bugs are a combination of command injection, reflected cross-site scripting (XSS), cleartext storage of sensitive information, missing authentication, and SQL injection vulnerabilities:
- CVE-2024-9463 (unauthenticated command injection vulnerability)
- CVE-2024-9464 (authenticated command injection vulnerability)
- CVE-2024-9465 (unauthenticated SQL injection vulnerability)
- CVE-2024-9466 (cleartext credentials stored in logs)
- CVE-2024-9467 (unauthenticated reflected XSS vulnerability)
Proof-of-concept exploit available
Horizon3.ai vulnerability researcher Zach Hanley, who found and reported four of the bugs, has also published a root cause analysis write-up that details how he found three of these flaws while researching the CVE-2024-5910 vulnerability (disclosed and patched in July), which allows attackers to reset Expedition application admin credentials.
Hanley also released a proof-of-concept exploit that chains the CVE-2024-5910 admin reset flaw with the CVE-2024-9464 command injection vulnerability to gain "unauthenticated" arbitrary command execution on vulnerable Expedition servers.
Palo Alto Networks says that, for the moment, there is no evidence that the security flaws have been exploited in attacks.
"The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions. The cleartext file affected by CVE-2024-9466 will be removed automatically during the upgrade," Palo Alto Networks added today.
"All Expedition usernames, passwords, and API keys should be rotated after upgrading to the fixed version of Expedition. All firewall usernames, passwords, and API keys processed by Expedition should be rotated after updating."
Admins who can't immediately deploy today's security updates must restrict Expedition network access to authorized users, hosts, or networks.
In April, the company started releasing hotfixes for a maximum-severity zero-day bug that had been actively exploited since March by a state-backed threat actor tracked as UTA0218 to backdoor PAN-OS firewalls.
Google Joins Forces with GASA and DNS RF to Tackle Online Scams at Scale
CISA says critical Fortinet RCE flaw now exploited in attacks
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
InformationalModern Web Application
InformationalSession Management Response Identified
InformationalAuthentication Request Identified
InformationalInformation Disclosure - Sensitive Information in URL
InformationalInformation Disclosure - Suspicious Comments in XML via WebSocket
InformationalCSP: Header & Meta
InformationalUser Controllable HTML Element Attribute (Potential XSS)
MediumInsecure JSF ViewState
InformationalPossible Username Enumeration
CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
CWE-1293 Missing Source Correlation of Multiple Independent Data
CWE-215 Insertion of Sensitive Information Into Debugging Code
CWE-83 Improper Neutralization of Script in Attributes in a Web Page
CWE-530 Exposure of Backup File to an Unauthorized Control Sphere
Free online web security scanner