An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
An attacker without any authentication can send a specially crafted request to the vulnerable Expedition component, which improperly processes the input and passes it directly to the operating system command interpreter. As a result, arbitrary OS commands can be executed with root privilege level. The lack of user interaction requirement and the absence of authentication or special configuration requirements make this vulnerability exceptionally easy to exploit remotely.
The attacker gains full control over the Expedition system with root privileges, resulting in disclosure of usernames, passwords in cleartext, device configurations, and PAN-OS firewall API keys — which can consequently lead to takeover of managed network devices.
Patches available from the vendor must be applied immediately in accordance with official advisory PAN-SA-2024-0010 (https://security.paloaltonetworks.com/PAN-SA-2024-0010). Until the update is applied, consider restricting network access to the Expedition interface only to trusted hosts and isolating the system from the production network.
Palo Alto Networks Expedition — versions indicated in vendor references (advisory PAN-SA-2024-0010)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:AmberPalo Alto Networks Expedition
APPPaloaltonetworks1.2.0 – 1.2.96 (bez)
CISA KEV — detailsi
- Vendori
- Palo Alto Networks ↗
- Producti
- Expedition
- Added to KEVi
- November 14, 2024
- Remediation deadline (US Federal)i
- December 5, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Palo Alto Networks Expedition contains an OS command injection vulnerability that allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
Related vulnerabilities
SQL Injection w Palo Alto Networks Expedition — dostęp do danych i plików
Brak uwierzytelnienia w Palo Alto Networks Expedition — przejęcie konta admina
SQL Injection w Palo Alto Networks Expedition — ujawnienie danych i odczyt plików
OS command injection w Palo Alto Networks Expedition umożliwiający RCE jako root
The Palo Alto Networks Expedition Migration tool 1.0.107 and earlier may allow an unauthenticated attacker wit...