The cybersecurity agency CISA on Thursday warned about two additional Palo Alto Networks Expedition vulnerabilities exploited in attacks. 

On November 7, CISA informed organizations that it had become aware that CVE-2024-5910, a Palo Alto Networks Expedition vulnerability patched in July, has been exploited in attacks.

CVE-2024-5910 is a critical missing authentication issue that allows an attacker with network access to Expedition to take over administrator accounts. The flaw puts credentials and configuration secrets at risk.

Expedition is a tool designed to make it easier for users to migrate a configuration from a third-party vendor such as Check Point or Cisco to a Palo Alto Networks product.  

On November 14, CISA warned about the exploitation of two additional Expedition vulnerabilities. The flaws, tracked as CVE-2024-9463 and CVE-2024-9465, are critical flaws that were patched by the vendor in early October.

Palo Alto Networks updated its initial advisory on Thursday to say that it learned about the active exploitation of CVE-2024-9463 and CVE-2024-9465 from CISA. 

CVE-2024-9463 is an OS command injection vulnerability that allows an unauthenticated attacker to run arbitrary OS commands as root, resulting in the disclosure of cleartext credentials, device configurations, and API keys. 

CVE-2024-9465 is an SQL injection flaw that can be exploited by an unauthenticated attacker to obtain sensitive information from the Expedition database, and to create and read arbitrary files on the system. 

News of the two additional Expedition vulnerabilities being exploited in the wild comes just as Palo Alto Networks has confirmed that a new remote code execution vulnerability impacting its firewalls has been exploited in attacks as a zero-day. The new zero-day does not have a CVE identifier at the time of writing. 

The attacks do not appear to be related as Palo Alto said it learned about the exploitation of all of the Expedition vulnerabilities from CISA.

There does not seem to be any public information on the attacks exploiting the three Expedition vulnerabilities. It’s unclear if the three flaws have been exploited by the same threat actor or in unrelated attacks. 

The technical details of CVE-2024-5910 and CVE-2024-9465 were disclosed on October 9 by cybersecurity firm Horizon3.ai.

All of the Palo Alto Networks Expedition flaws have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, with the agency instructing government organizations to take action to prevent potential exploitation. 

Related: Palo Alto Networks Confirms New Firewall Zero-Day Exploitation

Related: Palo Alto Networks Adds New Capabilities to OT Security Solution

Related: Palo Alto Patches Critical Firewall Takeover Vulnerabilities