CVE-2024-5910

What is Palo Alto Networks Expedition?

Palo Alto Networks Expedition is a configuration migration and optimization tool used to convert third-party firewall configurations (Check Point, Cisco, Juniper, and others) into PAN-OS format. Expedition stores active PAN-OS device credentials, API keys, and complete firewall configurations while connected to firewalls during migration and optimization projects. Despite this privileged access, Expedition is often left running after migration work completes, sometimes with internet-accessible interfaces — creating a persistent high-value target.

Overview

CVE-2024-5910 is a missing authentication vulnerability in Palo Alto Networks Expedition that allows an unauthenticated remote attacker to reset the credentials of any Expedition account, including the admin account, and take over the Expedition instance. With admin access to Expedition, an attacker can access all PAN-OS device credentials, API keys, and firewall configurations stored in the tool. Disclosed July 10, 2024, it was added to the KEV catalog on November 7, 2024. It is closely related to CVE-2024-9465 (SQL injection in Expedition, added to KEV November 14), and the two vulnerabilities are typically addressed together.

Affected Versions

Note: CVE-2024-9465 requires Expedition 1.2.96. Organizations should upgrade to at least 1.2.96 to address both vulnerabilities.

Technical Details

CWE-306 (Missing Authentication for Critical Function). Expedition exposes an administrative function — credential reset — without requiring authentication. An unauthenticated attacker who can reach the Expedition web interface can invoke this endpoint to reset the password of any Expedition account, immediately granting themselves access as that user.

With Expedition admin access, an attacker can:

• Read all PAN-OS device credentials stored in the Expedition database (plaintext and hashed)
• Access device API keys for all firewalls connected to Expedition
• Export complete firewall configurations including security policies, NAT rules, and address objects
• Use the obtained credentials to directly authenticate to and compromise the associated PAN-OS firewalls

The relationship with CVE-2024-9465: CVE-2024-5910 provides authenticated admin access to Expedition (by resetting the admin password), which can then be used to pivot to SQL injection (CVE-2024-9465) or direct database access to enumerate stored credentials.

Discovery

Reported to Palo Alto Networks and disclosed July 10, 2024, fixed in Expedition 1.2.92. Exploitation was confirmed in the wild prior to the November 7, 2024 KEV addition — four months after the patch, indicating organizations were slow to update the migration tool.

Exploitation Context

Active exploitation was confirmed and CISA added CVE-2024-5910 to the KEV catalog on November 7, 2024, one week before the related CVE-2024-9465 was added. The delayed KEV addition (four months after the July patch) reflects the reality that Expedition, as a migration tool rather than a production appliance, often goes unpatched for extended periods. Organizations that used Expedition for recent migrations but left the tool running on the network were at risk of having all associated firewall credentials silently exfiltrated.

Remediation

1. Upgrade Expedition to 1.2.96 or later — this addresses both CVE-2024-5910 and CVE-2024-9465.
2. If Expedition is no longer actively needed, decommission it immediately — the tool should not remain running after migration projects are complete.
3. Restrict Expedition to trusted internal IP ranges; it must not be internet-accessible.
4. Rotate all PAN-OS administrator credentials, device API keys, and secrets for every firewall that was ever connected to the Expedition instance.
5. Review Expedition logs for unauthorized password resets or database access.