CISA: ‘Critical’ Palo Alto Networks Flaw Has Seen Exploitation

The vulnerability affects Palo Alto Networks’ Expedition migration tool and was originally disclosed in July.

A critical-severity vulnerability affecting a Palo Alto Networks tool — originally disclosed in July — is now known to have been exploited in cyberattacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

CISA released an advisory Thursday mentioning the vulnerability (tracked at CVE-2024-5910), which affects Palo Alto Networks’ Expedition migration tool.

The federal cybersecurity agency added the bug to its catalog of vulnerabilities known to have seen exploitation in the wild, along with three other software flaws from other vendors. “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in the advisory.

While the order only applies to Federal Civilian Executive Branch agencies, “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation” of actively exploited vulnerabilities such as the Palo Alto Networks flaw, the agency said.

The missing authentication vulnerability “can lead to an Expedition admin account takeover for attackers with network access to Expedition,” Palo Alto Networks said during its initial advisory about the flaw on July 10.

At the time, Palo Alto Networks said it wasn’t aware of exploitation of the vulnerability, which has received a “critical” severity rating of 9.3 out of 10.0.

In a statement, Palo Alto Networks said it is “aware of a report published by CISA regarding the active exploitation of CVE-2024-5910.”

“We have updated our Security Advisory, CVE-2024-5910 originally issued on July 7, 2024, detailing mitigations for this vulnerability and urging customers to make sure Expedition is updated to 1.2.92 or later versions,” the company said. “We will continue to monitor the situation closely.”