The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical vulnerability in Palo Alto Networks Expedition, identified as CVE-2024-5910, which allows attackers to exploit missing authentication.

This vulnerability, which affects the firewall configuration migration tool, is currently being actively exploited, prompting Palo Alto Networks to update their advisory and urge users to upgrade their installations and limit exposure to the internet.

CISA confirmed the active exploitation of CVE-2024-5910 on November 7, 2024, and has added it to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to secure affected systems by the end of November.

In light of the exploitation, users are advised to rotate all Expedition usernames, passwords, and API keys to mitigate risks, especially after upgrading to the patched version.

CISA's update suggests that the vulnerability may have been discovered by third parties or identified during their investigations, indicating a broader concern for federal enterprises.

Despite the severity of the situation, there are fewer than twenty internet-exposed instances of Expedition, which implies that the exploitation has been limited and targeted.

CISA has not confirmed whether CVE-2024-5910 is being exploited alone or in conjunction with other vulnerabilities, but it emphasizes the commonality of such vulnerabilities as attack vectors.

Palo Alto Networks had previously issued fixes for CVE-2024-5910 in July 2024, yet the ongoing exploitation highlights the importance of immediate action from users.

The vulnerability allows remote attackers to reset application admin credentials on internet-exposed Expedition servers, further compromising security.

Palo Alto Networks is also transitioning core functionalities of Expedition to new products, with support for Expedition set to end in January 2025.

As a precaution, CISA advises administrators unable to apply security updates to restrict network access to Expedition servers to authorized users or networks.

Overall, the situation underscores the critical need for organizations to stay vigilant and proactive in securing their systems against emerging threats.