Palo Alto Networks has issued a warning to customers regarding critical vulnerabilities in its PAN-OS firewalls, urging immediate action to patch these security flaws with public exploit code.

The company revealed in its latest advisory that these issues were found in the Expedition tool, which assists in migrating configurations from vendors such as Checkpoint and Cisco.

If exploited, the flaws could give attackers access to sensitive data, including usernames, cleartext passwords, device configurations, and device API keys, posing a significant security risk to firewall administrative accounts.

Critical security flaws highlighted by Palo Alto Networks

The advisory released by Palo Alto Networks highlighted that the vulnerabilities stem from various security issues, including command injection, SQL injection, missing authentication, cross-site scripting (XSS), and the storage of sensitive information in cleartext. The flaws are CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, and CVE-2024-9467.

“Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system,” said the cybersecurity firm. “Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

“These issues do not affect the firewalls, Panorama, Prisma Access, or Cloud NGFW.”

Zach Hanley, Horizon3.ai vulnerability researcher, reported four of these vulnerabilities. Hanley has also published a detailed analysis explaining how he discovered the flaws, with his research building on the analysis of an earlier vulnerability, CVE-2024-5910, disclosed and patched in July.

Hanley also issued a proof-of-concept exploit that chains the CVE-2024-5910 admin reset flaw with the CVE-2024-9464 command injection vulnerability, enabling unauthenticated arbitrary command execution on vulnerable Expedition servers.

While Palo Alto Networks has assured that there is no evidence yet of these vulnerabilities being actively exploited, the company has made patches available in Expedition version 1.2.96 and all subsequent releases. The patch also removes the cleartext file linked to CVE-2024-9466.

The cybersecurity company strongly advises to rotate all usernames, passwords, and API keys within Expedition, as well as any firewall credentials processed by the system. For those unable to apply the update immediately, the company recommends restricting network access to Expedition, ensuring only authorised users or networks have access.

In August, Palo Alto Networks reported a 57.1% increase in its net income at $357.7m for the fourth quarter of fiscal year 2024 (Q4 FY24) compared to $227.7m for the same quarter of the previous fiscal year.

Read more: Palo Alto Networks reports 57.1% rise in net income in latest quarter