CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability

Avatar
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical security flaw impacting Palo Alto Networks Expedition to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), concerns a case of missing authentication in the Expedition migration tool that

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical security flaw impacting Palo Alto Networks Expedition to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), concerns a case of missing authentication in the Expedition migration tool that could lead to an admin account takeover.

“Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data,” CISA said in an alert.

The shortcoming impacts all versions of Expedition prior to version 1.2.92, which was released in July 2024 to plug the problem.

There are currently no reports on how the vulnerability is being weaponized in real-world attacks, but Palo Alto Networks has since revised its original advisory to acknowledge that it’s “aware of reports from CISA that there is evidence of active exploitation.”

Also added to the KEV catalog are two other flaws, including a privilege escalation vulnerability in the Android Framework component (CVE-2024-43093) that Google disclosed this week as having come under “limited, targeted exploitation.”

The other security defect is CVE-2024-51567 (CVSS score: 10.0), a critical flaw affecting CyberPanel that allows a remote, unauthenticated attacker to execute commands as root. The issue has been resolved in version 2.3.8.

In late October 2023, it emerged that the vulnerability was being exploited en masse by malicious actors to deploy PSAUX ransomware on more than 22,000 internet-exposed CyberPanel instances, according to LeakIX and a security researcher who goes by the online alias Gi7w0rm.

LeakIX also noted that three distinct ransomware groups have quickly capitalized on the vulnerability, with files encrypted multiple times in some cases.

Federal Civilian Executive Branch (FCEB) agencies have been recommended to remediate the identified vulnerabilities by November 28, 2024, to secure their networks against active threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

China-linked hackers tasked with Japanese targets pursue them through Europe

Next Post

New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus

Related Posts

APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware

The threat actor known as Mysterious Elephant has been observed using an advanced version of malware called Asyncshell. The attack campaign is said to have used Hajj-themed lures to trick victims into executing a malicious payload under the guise of a Microsoft Compiled HTML Help (CHM) file, the Knownsec 404 team said in an analysis published today. Mysterious Elephant, which is also known as
Avatar
Read More

New Android Banking Malware ‘ToxicPanda’ Targets Users with Fraudulent Money Transfers

Over 1,500 Android devices have been infected by a new strain of Android banking malware called ToxicPanda that allows threat actors to conduct fraudulent banking transactions. "ToxicPanda's main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called on-device fraud (ODF)," Cleafy researchers Michele Roviello, Alessandro Strino
Avatar
Read More