H3-2024-0041¶

Palo Alto Expedition Unauthenticated SQL Injection Vulnerability

Description¶

CVE-2024-9465 is an unauthenticated SQL injection vulnerability affecting Palo Alto Networks Expedition versions from 1.2.0 up to (excluding) 1.2.96. Expedition is a migration tool designed to help reduce the time and efforts of migrating a configuration from a supported vendor to Palo Alto Networks. By making specific HTTP POST requests to a particular endpoint, the attacker can inject malicious SQL commands due to improper neutralization of special elements used in SQL commands within the application's code. Authentication is not required to exploit this vulnerability.

Impact¶

An attacker who abuses this vulnerability is able to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. Additionally, the attacker can create and read arbitrary files on the Expedition system.

References¶

• Horizon3.ai: Palo Alto Expedition: From N-Day to Full Compromise
• PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials
• NVD: CVE-2024-9465
• CISA Adds Two Known Exploited Vulnerabilities to Catalog
• Nuclei: Palo Alto Expedition - SQL Injection