The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Thursday regarding the discovery of two vulnerabilities in the Palo Alto Networks Expedition software. These vulnerabilities are currently being exploited in the wild, heightening concerns for users and organizations that manage their network infrastructures with this tool.
In light of these threats, CISA has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies must implement necessary security updates by December 5, 2024, to mitigate the risks posed by these threats.
The vulnerabilities, designated as CVE-2024-9463 and CVE-2024-9465, have been rated with high CVSS scores of 9.9 and 9.3, respectively. The first vulnerability pertains to an OS command injection flaw, while the second involves SQL injection issues within the Expedition software. If exploited, these vulnerabilities could allow unauthorized attackers to execute arbitrary OS commands or access sensitive database information.
Such exploitation could lead to the exposure of critical data, including usernames, plaintext passwords, device configurations, and API keys for PAN-OS firewalls. Additionally, attackers could manipulate or read files on compromised systems, severely jeopardizing organizational security.
Palo Alto Networks addressed these security flaws in its updates released on October 9, 2024, but has acknowledged CISA’s reports concerning the active exploitation of these vulnerabilities. Despite these acknowledgments, detailed information about the nature of the attacks remains scarce, including the identities of the attackers and the extent of the exploitation.
This alert follows CISA’s recent notification regarding another critical vulnerability, CVE-2024-5910, also impacting Expedition, signifying an escalation in threats targeting this widely used software. As organizations navigate their cybersecurity measures, the revealed vulnerabilities serve as a stark reminder of the ongoing security challenges they face.
Palo Alto Networks Confirms Active Exploitation
In a further development, Palo Alto Networks reported that an unauthenticated remote command execution vulnerability has been actively exploited against certain firewall management interfaces that are exposed to the internet. The company has classified this new flaw with a CVSS score of 9.3, without assigning a CVE identifier at this time. Customers are urged to secure their interfaces to prevent potential breaches.
Palo Alto has initiated an investigation into this malicious activity and is working on releasing necessary fixes and threat prevention signatures promptly. The company’s acknowledgment of observed threat activity underscores the seriousness of the vulnerabilities now affecting its software.
As CISA and Palo Alto Networks respond to these evolving threats, business owners should remain vigilant. Implementing robust security protocols and promptly applying software updates could prove vital in offsetting the implications of these vulnerabilities. In this context, tactics commonly referenced in the MITRE ATT&CK framework, such as initial access, privilege escalation, and command execution, could be relevant to understanding the potential methods behind these attacks. By staying informed and proactive, businesses can better safeguard their critical assets against cyber threats.
