CISA Flags Two Actively Exploited Palo Alto Flaws; New RCE Attack Confirmed

Nov 15, 2024Ravie LakshmananNetwork Security / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that two more flaws impacting the Palo Alto Networks Expedition have come under active exploitation in the wild.

To that, it has added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary updates by December 5, 2024.

The security flaws are listed below –

• CVE-2024-9463 (CVSS score: 9.9) – Palo Alto Networks Expedition OS Command Injection Vulnerability
• CVE-2024-9465 (CVSS score: 9.3) – Palo Alto Networks Expedition SQL Injection Vulnerability

Successful exploitation of the vulnerabilities could allow an unauthenticated attacker to run arbitrary OS commands as root in the Expedition migration tool or reveal its database contents.

This could then pave the way for disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls, or create and read arbitrary files on the vulnerable system.

Palo Alto Networks addressed these shortcomings as part of security updates released on October 9, 2024. The company has since revised its original advisory to acknowledge that it’s “aware of reports from CISA that there is evidence of active exploitation for CVE-2024-9463 and CVE-2024-9465.”

That said, not much is known about how these vulnerabilities are being exploited, by whom, and how widespread these attacks are.

The development also came a week after CISA was notified of the active exploitation of CVE-2024-5910 (CVSS score: 9.3), another critical flaw affecting Expedition.

Palo Alto Networks Confirms New Flaw Under Limited Attack

Palo Alto Networks has since also confirmed that it has detected an unauthenticated remote command execution vulnerability being weaponized against a small subset of firewall management interfaces that are exposed to the internet, urging customers to secure them.

“Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the internet,” it added.

The company, which is investigating the malicious activity and has given the vulnerability a CVSS score of 9.3 (no CVE identifier), also said it’s “preparing to release fixes and threat prevention signatures as early as possible.”