A Palo Alto Networks Expedition vulnerability patched a few months ago is being exploited in attacks, according to the cybersecurity agency CISA.

The vulnerability is tracked as CVE-2024-5910 and it was patched by Palo Alto Networks in July. The security hole has been described as a critical missing authentication issue that can allow an attacker with network access to Expedition to take over an admin account.

Expedition is a tool designed to make it easier for users to migrate a configuration from a third-party vendor such as Checkpoint or Cisco to a Palo Alto Networks product. 

According to Palo Alto’s advisory for CVE-2024-5910, “Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.” 

The cybersecurity giant updated its advisory on Thursday to note that it has learned from CISA about the active exploitation of the vulnerability. This indicates that CISA learned from a third-party about in-the-wild exploitation, or the agency discovered exploitation itself during one of its investigations. 

No information appears to be available about the attacks exploiting CVE-2024-5910. However, there are less than two dozen internet-exposed instances of Expedition and given the nature of the tool, CVE-2024-5910 has likely been leveraged in limited, targeted attacks. 

Technical details on the flaw were made public by cybersecurity firm Horizon3.ai on October 9. At the same time, Horizon3.ai released information on three other critical and high-severity Expedition vulnerabilities that can be exploited to obtain credentials and other sensitive information. There is no evidence of in-the-wild exploitation for these other flaws.

CISA has added CVE-2024-5910 to its Known Exploited Vulnerabilities (KEV) catalog, instructing federal agencies to address it by the end of the month. This is the second Palo Alto Networks product vulnerability added to the KEV list this year. 

Palo Alto Networks announced recently that the core functionalities of the Expedition tool are being transferred into new products and Expedition will no longer be supported starting in January 2025. 

CISA on Thursday also added recently patched Android and CyberPanel vulnerabilities to its KEV catalog, alongside a 2019 Nostromo vulnerability that can allow remote code execution.  

Related: Thousands of Palo Alto Firewalls Potentially Impacted by Exploited Vulnerability 

Related: Palo Alto Patches Critical Firewall Takeover Vulnerabilities

Related: Siemens Industrial Product Impacted by Exploited Palo Alto Firewall Vulnerability

Related: Palo Alto Networks Patches Unauthenticated Command Execution Flaw in Cortex XSOAR