CISA warns against active exploitation of critical vulnerabilities in Palo Alto networks

November 8, 2024Ravie LakshmananVulnerability / Network Security

CISA warns against active exploitation of critical vulnerabilities in Palo Alto networks

The American Cybersecurity and Infrastructure Security Agency (CISA) announced this on Thursday added a now patched critical vulnerability affecting Palo Alto Networks’ expedition to the known exploited vulnerabilities (KEV) catalogue, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), concerns a case of missing authentication in the Expedition migration tool that could lead to an administrator account takeover.

“Palo Alto Expedition contains a missing authentication issue that could allow an attacker with network access to take over an Expedition administrator account and potentially gain access to configuration secrets, credentials, and other data,” CISA said in an alert.

Cybersecurity

The flaw affects all versions of Expedition before version 1.2.92, which was released in July 2024 to fix the issue.

There are currently no reports on how the vulnerability is being leveraged in real-world attacks, but Palo Alto Networks has since assessed its original advice to acknowledge that it is “aware of reports from CISA that there is evidence of active exploitation.”

Also added to the KEV catalog are two other flaws, including a privilege escalation vulnerability in the Android Framework component (CVE-2024-43093) which Google announced this week fell under “limited, targeted exploitation.”

The other security flaw is CVE-2024-51567 (CVSS score: 10.0), a critical flaw in CyberPanel that could allow an unauthenticated remote attacker run commands as root. The issue is resolved in version 2.3.8.

Cybersecurity

In late October 2023, the vulnerability was found to have been massively exploited by malicious actors to deploy PSAUX ransomware on more than 22,000 internet-exposed CyberPanel instances, according to LekIX and a security researcher using the online alias Gi7w0rm.

LeakIX too noted that three different ransomware groups quickly exploited the vulnerability, in some cases encrypting files multiple times.

Federal Civilian Executive Branch (FCEB) agencies have been recommended to remediate the identified vulnerabilities by November 28, 2024, to secure their networks from active threats.

Did you find this article interesting? Follow us further Tweet And LinkedIn to read more exclusive content we post.