Help
FortiDAST
FortiDAST performs automated black-box dynamic application security testing of web applications to identify vulnerabilities that bad actors may exploit.
rdiwakar
Staff
Staff

Created on ‎12-30-2024 11:58 PM

Article Id 367495

Outbreak Alert: Palo Alto Expedition Missing Authentication Vulnerability

Description

This outbreak alert on 'Palo Alto Network Expedition' covers vulnerability that is CVE-2024-5910, CVE-2024-9463, CVE-2024-9465 and CVE-2024-9466 respectively.

 

CVE-2024-5910 is a critical vulnerability in Palo Alto Networks' Expedition migration tool. It stems from missing authentication controls, which could potentially allow attackers to take over admin accounts, compromising network configurations and sensitive information. Palo Alto Networks Expedition versions prior to 1.2.92 are vulnerable.

 

CVE-2024-9463 is an OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

 

CVE-2024-9465 is an SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

 

CVE-2024-9466 is a cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials.

 

This article describes the assessment of 'Missing Authentication', 'Unauthenticated command injection vulnerability' , 'Unauthenticated SQL injection vulnerability' and 'Cleartext credentials stored in logs' vulnerability in Palo Alto software.
Scope

FortiDAST Scripting Engine updated in version 24.4.0
Solution

Detection against that vulnerability is empowered by the FortiDAST Scripting Engine (FSE).

 

This technology enables FortiDAST to assess remotely with a high level of confidence if an asset is vulnerable to a specific vulnerability by testing the disarmed exploit against the asset itself.

 

To configure the scan, it will be necessary to enable the FSE group signature 'paloalto' which will select the underlying script as per the scan requirement: 'CVE-2024-5910 Palo Alto expedition admin account takeover vulnerability', 'CVE-2024-9463 Palo Alto expedition network remote code execution vulnerability', 'CVE-2024-9465 Palo Alto SQLi Vulnerability' and 'CVE-2024-9466 Palo Alto network expedition clear text storage of sensitive information vulnerability'

 

For reference, a step-by-step guide on how to configure FortiDAST to trigger FSE can be found on Fortinet’s blog:

https://www.fortinet.com/blog/business-and-technology/fortipentest-exploit-engine-a-new-security-ars...
37
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.