CISA Alarm & Mitigating CVE-2024-5910 in Palo Alto Networks’ Tool

CISA has raised the alarm about, the recently discovered CVE-2024-5910 in Palo Alto Networks’ Expedition tool. This vulnerability is being actively exploited, leaving organizations scrambling to secure their systems before attackers take advantage.

But here's the good news: you don't have to wait for the next patch or vulnerability report to react. With FireCompass, you can identify such risks and your exposure to the risk within the first 24 hours of a CVE’s release.

What is CVE-2024-5910 and Why Does It Matter?

CVE-2024-5910 is a critical vulnerability in Palo Alto Networks' Expedition tool, which is often used for firewall migration and tuning. The flaw lies in a missing authentication check on a crucial function, allowing an attacker with network access to potentially take over an admin account. This could lead to access to sensitive data like credentials and configuration secrets, posing severe risks to your network's security.

The vulnerability is especially concerning in government and enterprise environments, where Expedition is relied on for secure network management. If your organization uses this tool, you could already be at risk, especially if you're running a version below 1.2.92.

This CVE has been given a high severity rating, with a CVSSv4.0 score of 9.3, making it a significant threat. While Palo Alto Networks has released a patch to address the issue, the risk remains, especially for those who haven't yet updated to the latest version.

How Fast Can Attackers Exploit This Vulnerability?

The vulnerability's danger isn't just in its existence but in its exploitation. Initially discovered by Palo Alto Networks, the flaw saw increased attention when security researcher Zach Hanley from Horizon3.ai released a proof-of-concept (PoC) in October. This PoC demonstrated how the vulnerability could be chained with another flaw—CVE-2024-9464—to escalate the risk, allowing unauthenticated attackers to execute arbitrary commands on vulnerable servers remotely. This opens the door for attackers to take full control over firewall configurations, potentially giving them access to sensitive network areas.

CISA has added CVE-2024-5910 to its Known Exploited Vulnerabilities (KEV) Catalog, meaning that U.S. federal agencies must secure their systems by November 28. This is a clear sign of the urgency involved—if the U.S. government is prioritizing patching, so should you.

The Real Danger: Exploiting the Exploitation Window

The exploitation window for vulnerabilities like CVE-2024-5910 is narrow, and once attackers find a way in, they can move quickly. The key to preventing these attacks is early detection and fast action. The good news? You don't have to rely on traditional methods like periodic penetration tests that might miss critical vulnerabilities.

With FireCompass’s Continuous Automated Red Teaming (CART), your organization can test for vulnerabilities like CVE-2024-5910 the moment they're discovered, not weeks or months later. By running continuous penetration tests, FireCompass ensures you're always on top of potential exploits, giving you the time you need to patch vulnerabilities before attackers can take advantage.

>>Want to stay ahead of emerging threats?
Join CISO Platform—the CyberSecurity Community to stay updated on the latest cybersecurity insights and strategies.

FireCompass Day 1 CVE Playbook: Find Critical Risks in 24 Hours Before It Gets Exploited

Here's where FireCompass comes in. In a world where vulnerabilities like CVE-2024-5910 can turn into full-blown attacks within hours, you need a proactive approach to cybersecurity. FireCompass helps you:

Find Exposure Early: We help you detect vulnerabilities like CVE-2024-5910 within the first 24 hours of their release, ensuring you can act quickly before attackers exploit them.
Run Continuous Penetration Testing: FireCompass continuously tests your network for vulnerabilities, so you're never caught off guard by a new CVE or emerging threat.
Simulate Real-World Attacks: With our red teaming capabilities, we simulate real-world attack scenarios to identify vulnerabilities that could put your organization at risk.
Prioritize Critical Risks: We help you focus on the vulnerabilities that matter most, so you can address the most dangerous risks first.

The key to defending against vulnerabilities like CVE-2024-5910 isn’t just about applying patches as they become available—it’s about identifying and fixing the vulnerabilities before they’re exploited.

>>Ready to get proactive?
FireCompass Day 1 CVE Playbook: Find Critical Risks in 24 Hours

Mitigating CVE-2024-5910: What You Need to Do

If you’re running Expedition versions below 1.2.92, you’re vulnerable. Here's what you need to do to mitigate the risk:

Upgrade to Version 1.2.92 or Later: Palo Alto Networks has fixed CVE-2024-5910 in version 1.2.92. Make sure you're using an updated version to protect against this vulnerability.
Rotate Credentials: After upgrading, reset all credentials in Expedition and any associated firewalls. This helps protect against the misuse of any credentials that may have been compromised.
Restrict Network Access: If you're unable to apply the patch immediately, restrict network access to your Expedition servers. Use network segmentation and access control lists (ACLs) to limit exposure and protect your systems until you can patch.

While patching is critical, it’s not the only step you should take. Continuous testing and proactive monitoring can help you stay ahead of not just CVE-2024-5910 but any vulnerability that might arise.

Final Thoughts: Don’t Let Vulnerabilities Linger

Vulnerabilities are discovered every day, and new exploits are found even faster. We need to act before the hackers exploit these risks.

Here are the key learnings:

CVE-2024-5910 Overview: This critical vulnerability in Palo Alto Networks’ Expedition tool allows attackers to gain control of admin accounts due to a missing authentication check, potentially compromising sensitive data and firewall configurations.
Impact of CVE-2024-5910: The flaw is highly dangerous, with a CVSSv4.0 score of 9.3, making it a critical risk for organizations, especially in government and enterprise environments.
Exploitation Risk: The vulnerability has been actively exploited, especially after a proof-of-concept (PoC) was released, which shows how it can be chained with another flaw (CVE-2024-9464) to enable remote command execution.
Urgency for Patch Compliance: CISA has included this vulnerability in its Known Exploited Vulnerabilities Catalog, urging federal agencies to patch vulnerable systems by November 28, emphasizing the need for rapid action.
Proactive Security with FireCompass: FireCompass’ Continuous Automated Red Teaming (CART) provides proactive, continuous vulnerability testing, allowing organizations to detect CVEs like CVE-2024-5910 within 24 hours of their release.
Steps for Mitigation: The main mitigations include upgrading Expedition to version 1.2.92 or later, rotating credentials, and restricting network access to vulnerable servers until patches are applied.
Benefits of Continuous Penetration Testing: Unlike traditional methods, FireCompass offers continuous monitoring and real-time vulnerability detection, helping organizations identify and fix risks faster than ever before.
Importance of Early Detection: Early identification of vulnerabilities allows organizations to act before attackers can exploit them, making continuous testing and proactive red teaming essential to maintaining strong cybersecurity defenses.

Sources:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-5910&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=

https://github.com/horizon3ai/CVE-2024-9464

https://security.paloaltonetworks.com/CVE-2024-5910

>>Want to stay ahead of emerging threats?
Join CISO Platform—the CyberSecurity Community to stay updated on the latest cybersecurity insights and strategies.

All Articles