CVE-2024-9463

What is Palo Alto Networks Expedition?

Palo Alto Networks Expedition (formerly the PAN-OS Migration Tool) is a utility that helps network engineers migrate firewall configurations from other vendors (Cisco, Check Point, Juniper) to PAN-OS, and assists with policy optimization and security profile upgrades. Expedition is deployed on-premises as a virtual machine with a web interface and has read/write access to PAN-OS firewall configurations — including usernames, credentials, API keys, and security policies for the firewalls it manages. Because Expedition stores firewall administrative credentials to perform configuration tasks, compromising Expedition is equivalent to compromising all the firewalls it manages.

Overview

CVE-2024-9463 is an unauthenticated OS command injection vulnerability in Palo Alto Networks Expedition that allows a remote attacker to execute arbitrary OS commands as root without any authentication. Successful exploitation exposes all usernames, cleartext passwords, device configurations, and API keys of every PAN-OS firewall that has been configured in Expedition. Palo Alto Networks disclosed it as part of PAN-SA-2024-0010 (October 2024), which also covered CVE-2024-9465 (SQL injection) and CVE-2024-5910 (missing authentication) in the same product. CISA added CVE-2024-9463 to the KEV catalog in November 2024. The recommended fix for all three Expedition vulnerabilities is upgrading to Expedition 1.2.96.

Affected Versions

Technical Details

CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Expedition's web interface processes user-supplied or configuration-derived input that is passed to OS commands without adequate sanitization. An unauthenticated attacker can craft an HTTP request that injects shell commands, executing them as root — the highest privilege on the underlying Linux VM. Because Expedition stores PAN-OS firewall credentials for its configuration management functions, root access to the Expedition VM provides direct access to:

• Cleartext administrator passwords for managed PAN-OS firewalls
• PAN-OS API keys for all managed devices
• Complete firewall configurations including security policies, NAT rules, VPN settings, and network topology
• Usernames and credentials for LDAP, RADIUS, and other authentication backends configured in Expedition

This vulnerability is part of a cluster of Expedition bugs (CVE-2024-9463, CVE-2024-9465, CVE-2024-5910) that collectively provide multiple unauthenticated attack paths against the tool. CVE-2024-9465 (SQL injection, already enriched) and CVE-2024-5910 (missing auth) provide additional entry points in the same product.

Discovery

Reported to Palo Alto Networks via PAN-SA-2024-0010. Zach Hanley of Horizon3.ai published analysis of the Expedition vulnerability cluster.

Exploitation Context

Active exploitation was confirmed by the November 14, 2024 CISA KEV addition. Expedition is designed to be a temporary migration tool but is often left running on networks long after migrations complete, accumulating firewall credentials and remaining unpatched. Internet-exposed Expedition instances represent a critical pre-access credential theft target: an attacker who compromises Expedition gains the credentials needed to log in as administrator to all managed firewalls, potentially providing access to the entire network infrastructure.

Remediation

1. Upgrade Expedition to version 1.2.96 — this version addresses CVE-2024-9463, CVE-2024-9465 (SQL injection), and CVE-2024-5910 (missing auth). See also the enriched entry for CVE-2024-9465 (already enriched) for the full Expedition vulnerability context.
2. If Expedition is no longer needed, shut it down and remove it from the network immediately. Expedition is a temporary migration tool — it should not run permanently.
3. Restrict Expedition web interface access to authorized IP addresses only — it must not be internet-accessible.
4. After patching or removing Expedition, rotate all PAN-OS credentials that were stored in the tool: admin passwords, API keys, and any LDAP/RADIUS credentials configured in the migration projects.
5. Review PAN-OS audit logs for unauthorized configuration changes and unexpected API calls during the exposure window.