Palo Alto Expedition CVE-2024-9463: Command Injection in Migration Tool

In November 2024, CISA added CVE-2024-9463 and CVE-2024-9465 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of critical vulnerabilities in Palo Alto Networks Expedition, a migration and configuration tool used to transition firewall configurations from other vendors to Palo Alto Networks PAN-OS.

Palo Alto had initially disclosed and patched these vulnerabilities in October 2024, but the confirmation of in-the-wild exploitation elevated the urgency for organizations still running vulnerable Expedition instances.

The Vulnerabilities

Multiple vulnerabilities were disclosed in Expedition, collectively providing a comprehensive attack surface:

CVE-2024-9463 (CVSS 9.9): Unauthenticated OS command injection. An attacker can execute arbitrary operating system commands as root on the Expedition server without any authentication. This is the most critical of the set.

CVE-2024-9464 (CVSS 9.3): Authenticated OS command injection. Similar to CVE-2024-9463 but requires valid credentials.

CVE-2024-9465 (CVSS 9.2): Unauthenticated SQL injection. An attacker can access the Expedition database without authentication, exposing stored firewall configurations, credentials, and API keys.

CVE-2024-9466 (CVSS 8.2): Cleartext storage of credentials. Expedition stores firewall credentials, API keys, and other sensitive data in cleartext in its database and log files.

CVE-2024-9467 (CVSS 7.0): Reflected cross-site scripting (XSS) vulnerability in Expedition's web interface.

The combination of these vulnerabilities is devastating. An unauthenticated attacker can execute commands on the Expedition server (CVE-2024-9463), access its database (CVE-2024-9465), and extract cleartext credentials for every firewall that has been managed through Expedition (CVE-2024-9466).

Why Expedition Matters

Expedition (formerly known as Migration Tool) is used by organizations that are adopting Palo Alto Networks firewalls. Its primary functions include:

• Converting firewall configurations from Cisco, Fortinet, Check Point, and other vendors to PAN-OS format.
• Optimizing and auditing existing PAN-OS configurations.
• Performing best-practice assessments on firewall rule sets.

To perform these functions, Expedition requires access to the firewall configurations it is analyzing. This means Expedition's database contains:

• Complete firewall configurations, including all rules, objects, NAT policies, and routing configurations.
• Administrative credentials for firewalls, stored to allow Expedition to pull and push configurations.
• API keys for PAN-OS management interfaces.
• LDAP and RADIUS credentials used for firewall authentication integration.
• SSL/TLS certificates and private keys from firewall configurations.

An attacker who compromises Expedition gains access to the credentials and configurations for the organization's entire Palo Alto firewall infrastructure.

Exploitation Scenarios

Scenario 1: Firewall Takeover

An attacker exploits CVE-2024-9463 to gain root access on the Expedition server. They then query the database (or use CVE-2024-9465 directly) to extract admin credentials for all managed firewalls. Using these credentials, the attacker logs into the firewall management interfaces and modifies security policies to allow their traffic, creates VPN tunnels for persistent access, or disables security features.

Scenario 2: Network Intelligence Gathering

An attacker uses CVE-2024-9465 to dump the Expedition database without executing commands on the server. The database contains detailed firewall configurations that serve as a comprehensive map of the organization's network architecture, including internal IP ranges, DMZ configurations, VPN topologies, and allowed traffic flows. This intelligence can be used to plan a targeted network intrusion.

Scenario 3: Credential Harvesting

Expedition stores credentials in cleartext (CVE-2024-9466). These credentials often include:

• Admin passwords that are reused across multiple firewalls.
• Service account credentials for LDAP/AD integration.
• API keys that provide programmatic access to firewall management.

These credentials may grant access to infrastructure beyond just firewalls, particularly if service account passwords are reused.

The "Migration Tool" Security Problem

Expedition exemplifies a common security blind spot: migration and configuration management tools are often treated as temporary or auxiliary systems, not as critical infrastructure requiring the same security rigor as the devices they manage.

In practice:

• Expedition instances are sometimes left running long after the initial migration project is complete.
• They are often deployed on general-purpose servers without hardening or network isolation.
• They are accessible on corporate networks where any employee or compromised workstation can reach them.
• They accumulate credentials over time as they are used for successive configuration projects.

This pattern, powerful administrative tools with accumulated credentials, running on under-secured infrastructure, is a recurring theme in enterprise security incidents.

Mitigation and Remediation

Immediate actions:

1. Update Expedition to version 1.2.96 or later, which addresses all five CVEs.
2. Restrict network access to Expedition. It should only be accessible from dedicated management workstations, not from the general corporate network.
3. Rotate all credentials that were stored in or accessible through Expedition:
   • Firewall admin passwords
   • API keys
   • LDAP/RADIUS service account passwords
   • SSL/TLS private keys
4. Review Expedition logs for signs of unauthorized access, particularly access to the database or command execution.
5. Decommission Expedition if it is no longer actively needed. Many organizations leave Expedition running after migration projects are complete.

Longer-term practices:

• Treat configuration management tools with the same security rigor as the devices they manage. If a tool stores admin credentials for 50 firewalls, it should be at least as well-protected as any individual firewall.
• Implement credential vaulting. Tools like Expedition should retrieve credentials from a vault at runtime rather than storing them locally.
• Include migration and management tools in your vulnerability management program. They are often overlooked during scanning and patching cycles.
• Segment management infrastructure. Tools like Expedition should be on isolated management networks with strict access controls.

How Safeguard.sh Helps

Management and migration tools like Expedition are often invisible in an organization's asset inventory, making them easy targets.

• Complete infrastructure inventory captures auxiliary tools like Expedition alongside primary security appliances, ensuring they are not overlooked in vulnerability management programs.
• Credential exposure monitoring identifies components that store or have access to sensitive credentials, helping you prioritize security controls for the highest-risk assets.
• Lifecycle tracking flags tools and components that have outlived their intended use, prompting decommissioning before they become a liability.
• Vulnerability correlation maps CVEs to your deployed software inventory, ensuring that vulnerabilities in tools like Expedition receive the same attention as vulnerabilities in primary security infrastructure.

The tools you use to manage your security infrastructure are themselves part of the attack surface. Safeguard.sh ensures they are not the forgotten ones.