Palo Alto Networks Expedition SQL Injection Vulnerability (CVE-2024-9465)
Palo Alto Networks Expedition contains a SQL injection vulnerability that allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data. Federal agencies are required to remediate by 2024-12-05 under CISA BOD 22-01.
This is a SQL Injection (CWE-89) vulnerability in Palo Alto Networks Expedition. An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
Active exploitation documented in the wild. Threat-research write-up: https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/
Manual remediation steps
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.