CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability

Avatar
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical security flaw impacting Palo Alto Networks Expedition to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), concerns a case of missing authentication in the Expedition migration tool that

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical security flaw impacting Palo Alto Networks Expedition to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), concerns a case of missing authentication in the Expedition migration tool that could lead to an admin account takeover.

“Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data,” CISA said in an alert.

The shortcoming impacts all versions of Expedition prior to version 1.2.92, which was released in July 2024 to plug the problem.

There are currently no reports on how the vulnerability is being weaponized in real-world attacks, but Palo Alto Networks has since revised its original advisory to acknowledge that it’s “aware of reports from CISA that there is evidence of active exploitation.”

Also added to the KEV catalog are two other flaws, including a privilege escalation vulnerability in the Android Framework component (CVE-2024-43093) that Google disclosed this week as having come under “limited, targeted exploitation.”

The other security defect is CVE-2024-51567 (CVSS score: 10.0), a critical flaw affecting CyberPanel that allows a remote, unauthenticated attacker to execute commands as root. The issue has been resolved in version 2.3.8.

In late October 2023, it emerged that the vulnerability was being exploited en masse by malicious actors to deploy PSAUX ransomware on more than 22,000 internet-exposed CyberPanel instances, according to LeakIX and a security researcher who goes by the online alias Gi7w0rm.

LeakIX also noted that three distinct ransomware groups have quickly capitalized on the vulnerability, with files encrypted multiple times in some cases.

Federal Civilian Executive Branch (FCEB) agencies have been recommended to remediate the identified vulnerabilities by November 28, 2024, to secure their networks against active threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

China-linked hackers tasked with Japanese targets pursue them through Europe

Next Post

New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus

Related Posts

North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit

A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit. The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.
Avatar
Read More

New Linux Kernel Exploit Technique ‘SLUBStick’ Discovered by Researchers

Cybersecurity researchers have shed light on a novel Linux kernel exploitation technique dubbed SLUBStick that could be exploited to elevate a limited heap vulnerability to an arbitrary memory read-and-write primitive. "Initially, it exploits a timing side-channel of the allocator to perform a cross-cache attack reliably," a group of academics from the Graz University of Technology said [PDF]. "
Avatar
Read More