New Security Risks in Palo Alto Networks Expedition and CyberPanel Software

November 8, 2024
|In Cybersecurity News
|By Dan Duran

Critical Vulnerability Patched in Palo Alto Networks Expedition

A major security flaw has been identified and patched in Palo Alto Networks’ Expedition tool, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This vulnerability, now listed on CISA’s known exploited vulnerabilities (KEV) catalog, has raised concerns due to confirmed signs of active exploitation.

The issue, tracked as CVE-2024-5910 with a CVSS score of 9.3, relates to missing authentication in Expedition’s migration tool. This gap could allow a hacker with network access to take over an admin account, giving them potential access to sensitive configuration data, credentials, and other critical information. CISA’s notice cautions that the vulnerability might expose users to significant risks.

The flaw affects all Expedition versions before 1.2.92, which Palo Alto Networks released in July 2024 to address this issue.

Active Exploitation and Awareness

Although there’s no confirmed instance of this vulnerability being used in widespread attacks, Palo Alto Networks updated their original warning to reflect CISA’s report of active exploitation. Organizations using Expedition should ensure they are running version 1.2.92 or later to safeguard against potential threats.

Additional Vulnerabilities Added to CISA’s KEV List

CISA has also added two more vulnerabilities to its KEV catalog:

  1. Android Framework Privilege Escalation (CVE-2024-43093)
    Google recently revealed a privilege escalation flaw in the Android Framework (CVE-2024-43093), which has been exploited in limited, targeted attacks.
  2. Critical CyberPanel Command Execution (CVE-2024-51567)
    A major vulnerability in CyberPanel, tracked as CVE-2024-51567 (CVSS: 10.0), allows unauthenticated, remote attackers to run commands as root. CyberPanel patched this flaw in version 2.3.8, but it has been actively exploited, leading to widespread issues.

Widespread Attacks on CyberPanel Servers

In October 2023, researchers from LeakIX and security expert Gi7w0rm discovered that cybercriminals were heavily exploiting the CyberPanel vulnerability to install PSAUX ransomware on over 22,000 internet-exposed CyberPanel servers. LeakIX noted that multiple ransomware groups targeted the flaw, sometimes encrypting files multiple times on affected servers.

Immediate Security Recommendations for Federal Agencies

To protect against ongoing cyber threats, Federal Civilian Executive Branch (FCEB) agencies are advised to patch these vulnerabilities by November 28, 2024. Addressing these issues promptly will help minimize the risk of unauthorized access, ransomware attacks, and other security incidents in their networks.

Breaches