Two New Vulnerabilities Added to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about two additional vulnerabilities in the Palo Alto Networks Expedition software that are currently being exploited in the wild.

Details of the Security Flaws

CISA has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies under the Federal Civilian Executive Branch (FCEB) are required to apply the necessary patches by December 5, 2024.

The security vulnerabilities are as follows:

• CVE-2024-9463: A Palo Alto Networks Expedition OS Command Injection vulnerability with a CVSS score of 9.9.
• CVE-2024-9465: A Palo Alto Networks Expedition SQL Injection vulnerability with a CVSS score of 9.3.

Potential Impact of the Exploits

An unauthenticated attacker could exploit these vulnerabilities to execute arbitrary OS commands as root within the Expedition migration tool or access its database contents. This could enable the attacker to create and read any files on the compromised system or expose PAN-OS firewall device configurations, API keys, usernames, and plaintext passwords.

Palo Alto Networks Releases Patches

On October 9, 2024, Palo Alto Networks released security patches to address these flaws. The company has updated its initial advisory to acknowledge that it is “aware of reports from CISA that there is evidence of active exploitation for CVE-2024-9463 and CVE-2024-9465.”

Unknown Attackers Exploiting Vulnerabilities

Details about who is exploiting these vulnerabilities, how they are being exploited, or the frequency of these attacks remain unknown at this time.

Recent Related Vulnerability CVE-2024-5910

This announcement comes a week after CISA alerted organizations to the active exploitation of another significant Expedition vulnerability, CVE-2024-5910, which also has a CVSS score of 9.3.

Palo Alto Networks Confirms Limited Attacks

Palo Alto Networks has acknowledged discovering a vulnerability that allows unauthenticated remote command execution against a limited number of firewall management interfaces exposed to the internet. The company advises users to secure these interfaces.

“Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the internet,” the company stated.

Company’s Response and Recommendations

The company is preparing to release fixes and threat prevention signatures as soon as possible. The vulnerability has been assigned a CVSS score of 9.3 but has not yet received a CVE designation. Palo Alto Networks is investigating the malicious activity and urges users to secure their firewall management interfaces promptly.