Skip to main content
close search
site logo
Dive Brief

Attackers target Palo Alto Networks’ customer migration tool

An actively exploited vulnerability in Expedition allows attackers to achieve admin account takeover. The product reaches end of life in January.

Published Nov. 8, 2024
Matt Kapko's headshot
Senior Reporter
Palo Alto Networks
Cybersecurity professionals assemble for a presentation at Palo Alto Networks' booth on the show floor on April 27, 2023 at the RSA Conference in San Francisco. Attackers are exploiting a critical vulnerability in Palo Alto Networks' customer migration tool, the Cybersecurity and Infrastructure Agency said on Nov. 7, 2024. Matt Kapko/Cybersecurity Dive

Dive Brief:

  • Attackers are actively exploiting a critical vulnerability in Palo Alto Networks Expedition, the security vendor’s tool for migrating customers over from other vendors. The Cybersecurity and Infrastructure Security Agency added CVE-2024-5910 to its known exploited vulnerabilities catalog on Thursday.
  • Palo Alto Networks alerted customers to the vulnerability in a July 10 security advisory and issued a patch via a software update. At the time, the vendor said there was no evidence of active exploitation at the time.
  • The missing authentication for a critical function vulnerability in Palo Alto Networks Expedition, which has a CVSS score of 9.3, can allow an attacker to achieve admin account takeover and gain access to configuration secrets, credentials and other data imported into the migration tool.

Dive Insight:

Attackers are exploiting the previously patched vulnerability in a migration tool Palo Alto Networks previously said it plans to no longer support beginning in January. “We are currently in the process of transferring the core functionalities of the tool into new products,” the company said in a June post announcing end of life support for Expedition on its community forum.

Palo Alto Networks Expedition allows customers to convert a configuration from Checkpoint, Cisco and other supported vendors to a PAN-OS deployment.

Palo Alto Networks, the world’s largest cybersecurity vendor, is trying to lure customers away from competitors. An initiative it kicked off earlier this year offers customers deferred billings if they consolidate spending with the company as they wait for contracts to expire with rival firms.

Palo Alto Networks updated its security advisory for CVE-2024-5910 with a link to CISA’s report on active exploitation, but added no further details. The company did not respond to a request for comment.

“The flaw here is a simple oversight,” Jeff Williams, co-founder and CTO at Contrast Security, said via email. “Forgetting to add authentication to an administrator webpage means all an attacker has to do is browse to a certain URL to gain access.”

Palo Alto Networks advises customers to restrict network access to Expedition to authorized users, hosts or networks. The company said the vulnerability is fixed in Expedition 1.2.92 and all later versions.

Filed Under: Cyberattacks

Editors' picks

  • Abstract black and white monochrome art with surreal funnel.
    Image attribution tooltip
    Philipp Tur/Getty Images Plus via Getty Images
    Image attribution tooltip

    What is success in cybersecurity? Failing less.

    Defenders aren’t measured by pure wins or losses. Intrusions will happen, and their job is to keep a bad situation from getting worse.

    By Matt Kapko • April 26, 2024
  • Photo illustration of a VF Corp. SEC filing.
    Image attribution tooltip

    Photo illustration: Industry Dive; US Securities and Exchange Commission

    Image attribution tooltip

    How companies describe cyber incidents in SEC filings

    The words businesses use in cybersecurity disclosures matter. They can channel confidence in the recovery process, potential impacts and legal liabilities.

    By Matt Kapko • March 19, 2024

Company Announcements

View all | Post a press release
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Clay Platte Family Medicine Data Breach Investigation
From Migliaccio and Rathod LLP
October 21, 2024
Abbott Laboratories Employees Credit Union (“ALEC”) Data Breach Investigation
From Migliaccio and Rathod LLP
October 21, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
  • Abstract black and white monochrome art with surreal funnel.
    Image attribution tooltip
    Philipp Tur/Getty Images Plus via Getty Images
    Image attribution tooltip

    What is success in cybersecurity? Failing less.

    Defenders aren’t measured by pure wins or losses. Intrusions will happen, and their job is to keep a bad situation from getting worse.

    By Matt Kapko • April 26, 2024
  • Photo illustration of a VF Corp. SEC filing.
    Image attribution tooltip

    Photo illustration: Industry Dive; US Securities and Exchange Commission

    Image attribution tooltip

    How companies describe cyber incidents in SEC filings

    The words businesses use in cybersecurity disclosures matter. They can channel confidence in the recovery process, potential impacts and legal liabilities.

    By Matt Kapko • March 19, 2024
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell