CVE-2024-9465

What is Palo Alto Networks Expedition?

Palo Alto Networks Expedition is a configuration migration and optimization tool used to convert third-party firewall configurations (from Check Point, Cisco, Juniper, and others) into PAN-OS format, and to assist with ongoing PAN-OS policy optimization. Expedition is a web application that connects directly to PAN-OS devices and stores active credentials, device API keys, and full firewall configurations during migration projects. Despite this privileged access, Expedition is often deployed without hardening and sometimes left running and internet-accessible after migration work is complete — a dangerous combination.

Overview

CVE-2024-9465 is an unauthenticated SQL injection vulnerability in Palo Alto Networks Expedition that allows a remote attacker to read arbitrary data from the Expedition database, including plaintext and hashed credentials for PAN-OS devices, device API keys, usernames, and full firewall configuration files. Part of a four-vulnerability cluster disclosed in PAN-SA-2024-0010 on October 9, 2024, exploitation was confirmed in the wild and CISA added it to the KEV catalog on November 14. Credentials harvested from Expedition could be used directly to compromise the associated PAN-OS firewalls.

Affected Versions

Technical Details

CWE-89 (SQL Injection). An unauthenticated attacker can inject SQL syntax into a web endpoint that constructs database queries without adequate input sanitization. The Expedition database stores sensitive migration artifacts:

• Plaintext and hashed credentials for PAN-OS administrator accounts
• Device API keys for managed firewalls
• Full device configurations imported or generated during migration
• Usernames for PAN-OS devices

The SQL injection also enables writing files to the Expedition filesystem. Combined with other vulnerabilities in the same PAN-SA-2024-0010 cluster (CVE-2024-9466 and CVE-2024-9467 for reflected XSS and stored XSS), and with CVE-2024-5910 (missing authentication, same product), an attacker can chain these flaws to achieve full Expedition compromise followed by compromise of all PAN-OS firewalls whose credentials were stored in Expedition.

Discovery

Reported to Palo Alto Networks by Zach Hanley of Horizon3.ai, a security research firm specializing in offensive security and attack path analysis. The cluster of four Expedition vulnerabilities was disclosed together in the October 9, 2024 advisory PAN-SA-2024-0010.

Exploitation Context

Exploitation was confirmed in the wild, prompting the November 14, 2024 KEV addition. The attack path was particularly dangerous for organizations that used Expedition for recent firewall migrations and left the tool running without network isolation. Any organization with internet-accessible Expedition instances had their stored firewall credentials, API keys, and device configurations at risk. Successful exploitation could lead to complete compromise of every PAN-OS device whose credentials were ever stored in the affected Expedition instance.

Remediation

1. Upgrade Expedition to version 1.2.96 or later.
2. If Expedition is no longer actively needed, decommission it — the tool should not remain running after migration projects are complete.
3. Restrict Expedition to a trusted internal IP range; it must not be internet-accessible.
4. Rotate all PAN-OS administrator credentials and device API keys for every firewall that was ever managed through the Expedition instance, assuming credentials may have been exposed.
5. Review Expedition access logs for unauthorized database queries or unexpected file access.
6. Apply all four fixes from PAN-SA-2024-0010 (CVE-2024-9465, CVE-2024-9466, CVE-2024-9467) and CVE-2024-5910 together, as they form a related attack cluster.