Skip to main content
close search
site logo
Dive Brief

Attackers target Palo Alto Networks’ customer migration tool

An actively exploited vulnerability in Expedition allows attackers to achieve admin account takeover. The product reaches end of life in January.

Published Nov. 8, 2024
Matt Kapko's headshot
Senior Reporter
Palo Alto Networks
Cybersecurity professionals assemble for a presentation at Palo Alto Networks' booth on the show floor on April 27, 2023 at the RSA Conference in San Francisco. Attackers are exploiting a critical vulnerability in Palo Alto Networks' customer migration tool, the Cybersecurity and Infrastructure Agency said on Nov. 7, 2024. Matt Kapko/Cybersecurity Dive

Dive Brief:

  • Attackers are actively exploiting a critical vulnerability in Palo Alto Networks Expedition, the security vendor’s tool for migrating customers over from other vendors. The Cybersecurity and Infrastructure Security Agency added CVE-2024-5910 to its known exploited vulnerabilities catalog on Thursday.
  • Palo Alto Networks alerted customers to the vulnerability in a July 10 security advisory and issued a patch via a software update. At the time, the vendor said there was no evidence of active exploitation at the time.
  • The missing authentication for a critical function vulnerability in Palo Alto Networks Expedition, which has a CVSS score of 9.3, can allow an attacker to achieve admin account takeover and gain access to configuration secrets, credentials and other data imported into the migration tool.

Dive Insight:

Attackers are exploiting the previously patched vulnerability in a migration tool Palo Alto Networks previously said it plans to no longer support beginning in January. “We are currently in the process of transferring the core functionalities of the tool into new products,” the company said in a June post announcing end of life support for Expedition on its community forum.

Palo Alto Networks Expedition allows customers to convert a configuration from Checkpoint, Cisco and other supported vendors to a PAN-OS deployment.

Palo Alto Networks, the world’s largest cybersecurity vendor, is trying to lure customers away from competitors. An initiative it kicked off earlier this year offers customers deferred billings if they consolidate spending with the company as they wait for contracts to expire with rival firms.

Palo Alto Networks updated its security advisory for CVE-2024-5910 with a link to CISA’s report on active exploitation, but added no further details. The company did not respond to a request for comment.

“The flaw here is a simple oversight,” Jeff Williams, co-founder and CTO at Contrast Security, said via email. “Forgetting to add authentication to an administrator webpage means all an attacker has to do is browse to a certain URL to gain access.”

Palo Alto Networks advises customers to restrict network access to Expedition to authorized users, hosts or networks. The company said the vulnerability is fixed in Expedition 1.2.92 and all later versions.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell