On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog with a recently patched critical vulnerability affecting Palo Alto Networks’ Expedition tool. CISA’s action follows evidence suggesting that the flaw is actively being exploited, posing significant risks to organizations relying on this software.
The vulnerability, identified as CVE-2024-5910, has received a high Common Vulnerability Scoring System (CVSS) score of 9.3. It arises from a missing authentication issue within the Expedition migration tool, which poses the risk of allowing unauthorized users to take control of administrator accounts, thereby gaining access to sensitive configuration data and credentials. CISA’s alert underscores the severity of the issue, noting that an attacker with network access could potentially exploit this vulnerability to compromise an Expedition admin account fully.
This flaw affects all versions of the Expedition tool prior to the release of version 1.2.92 in July 2024, which addresses the issue. Though no detailed reports are presently available regarding the specific methods attackers are employing to exploit this vulnerability in real-world scenarios, Palo Alto Networks has acknowledged the situation, stating their awareness of reports from CISA indicating active exploitation.
Alongside the vulnerability concerning Expedition, CISA has also added two other security flaws to its catalog. One notable inclusion is a privilege escalation vulnerability affecting the Android Framework (CVE-2024-43093), which Google disclosed as undergoing limited targeting. The second flaw introduced is CVE-2024-51567—a critical issue rated with the highest CVSS score of 10.0 within CyberPanel—allowing remote, unauthenticated attackers to execute commands with root privileges. This flaw was resolved in version 2.3.8.
Recent activity has revealed a troubling pattern; in October 2023, the CyberPanel vulnerability was reportedly exploited en masse by threat actors who deployed PSAUX ransomware on over 22,000 internet-exposed instances. Reports highlight that three distinct ransomware groups have exploited this weakness, with some instances showing files being encrypted multiple times.
CISA’s recommendation for Federal Civilian Executive Branch agencies is to remediate the identified vulnerabilities by November 28, 2024, to bolster defenses against current threats. The urgency in addressing such vulnerabilities can help organizations prevent unauthorized access and mitigate risks associated with potential exploits.
The tactics likely employed in these attacks align with several documented techniques in the MITRE ATT&CK framework. Key tactics such as Initial Access and Privilege Escalation may have been leveraged to compromise the systems. Specifically, the exploitation of misconfigurations leading to unauthorized access aligns with the Initial Access technique, while gaining administrative privileges pertains to Privilege Escalation behaviors. As organizations continue to face evolving threats, it remains crucial to stay vigilant and proactive in addressing vulnerabilities within their cybersecurity infrastructures.
