Security Affairs
Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

U.S. CISA adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following Palo Alto Networks Expedition vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: Last week, Palo Alto Networks addressed multiple vulnerabilities that an attacker can chain to hijack […]

CISA BlueHammer (CVE-2026-33825)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following Palo Alto Networks Expedition vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

  • CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability
  • CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability

Last week, Palo Alto Networks addressed multiple vulnerabilities that an attacker can chain to hijack PAN-OS firewalls.

The vulnerabilities reside in the Palo Alto Networks’ Expedition solution, which is a migration tool designed to help organizations move configurations from other firewall platforms (like Check Point, Cisco, and others) to Palo Alto’s PAN-OS.

“Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system.” reads the advisory. “Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.”

An attacker could exploit the flaws to access sensitive data, such as user credentials, and potentially take over firewall administrator accounts.

Below are the descriptions of the flaws addressed by the security firm:

  • CVE-2024-9463 (CVSS 9.9) – A command injection vulnerability in Palo Alto Networks’ Expedition allows unauthenticated attackers to execute OS commands as root, exposing usernames, passwords, configurations, and API keys of PAN-OS firewalls.
  • CVE-2024-9464 (CVSS 9.3) – An authenticated OS command injection vulnerability allows attackers root access, leading to data exposure similar to CVE-2024-9463.
  • CVE-2024-9465 (CVSS 9.2) – An SQL injection vulnerability in Palo Alto’s Expedition allows unauthenticated attackers to access database contents, including password hashes and device configurations, and create or read files on the system.
  • CVE-2024-9466 (CVSS 8.2) – A vulnerability in Palo Alto Networks Expedition allows authenticated attackers to access sensitive information, revealing firewall usernames, passwords, and API keys stored in cleartext.
  • CVE-2024-9467 (CVSS 7.0) – A reflected XSS vulnerability allows malicious JavaScript to execute in an authenticated user’s browser, leading to phishing attacks and potential session theft.

The vulnerabilities impact Expedition versions prior to 1.2.96. 

Researchers from Horizon3 discovered the flaws CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466 while investigating the vulnerability CVE-2024-5910, which was disclosed in July.

The experts shared a proof-of-concept exploit code that chains the CVE-2024-5910 admin reset flaw with the CVE-2024-9464 for unauthenticated command execution on Expedition servers.

Horizon3 also published IOCs (indicators of compromise).

Palo Alto also provided workarounds and mitigations for these flaws. The company reccoments to restrict network access to Expedition to authorized users and hosts. For CVE-2024-9465, check for potential compromise by running the command mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;" on an Expedition system. If records are returned, it indicates potential compromise, though a lack of records does not confirm safety.

Palo Alto is not aware of attacks in the wild exploiting these vulnerabilities.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by December 5, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Palo Alto Networks Expedition)