Dive Brief:
- Attackers are actively exploiting a critical vulnerability in Palo Alto Networks Expedition, the security vendor’s tool for migrating customers over from other vendors. The Cybersecurity and Infrastructure Security Agency added CVE-2024-5910 to its known exploited vulnerabilities catalog on Thursday.
- Palo Alto Networks alerted customers to the vulnerability in a July 10 security advisory and issued a patch via a software update. At the time, the vendor said there was no evidence of active exploitation at the time.
- The missing authentication for a critical function vulnerability in Palo Alto Networks Expedition, which has a CVSS score of 9.3, can allow an attacker to achieve admin account takeover and gain access to configuration secrets, credentials and other data imported into the migration tool.
Dive Insight:
Attackers are exploiting the previously patched vulnerability in a migration tool Palo Alto Networks previously said it plans to no longer support beginning in January. “We are currently in the process of transferring the core functionalities of the tool into new products,” the company said in a June post announcing end of life support for Expedition on its community forum.
Palo Alto Networks Expedition allows customers to convert a configuration from Checkpoint, Cisco and other supported vendors to a PAN-OS deployment.
Palo Alto Networks, the world’s largest cybersecurity vendor, is trying to lure customers away from competitors. An initiative it kicked off earlier this year offers customers deferred billings if they consolidate spending with the company as they wait for contracts to expire with rival firms.
Palo Alto Networks updated its security advisory for CVE-2024-5910 with a link to CISA’s report on active exploitation, but added no further details. The company did not respond to a request for comment.
“The flaw here is a simple oversight,” Jeff Williams, co-founder and CTO at Contrast Security, said via email. “Forgetting to add authentication to an administrator webpage means all an attacker has to do is browse to a certain URL to gain access.”
Palo Alto Networks advises customers to restrict network access to Expedition to authorized users, hosts or networks. The company said the vulnerability is fixed in Expedition 1.2.92 and all later versions.