CVE-2024-5910: Palo Alto Expedition Auth Bypass Flaw

CVE-2024-5910 Overview

CVE-2024-5910 is a critical authentication bypass vulnerability in Palo Alto Networks Expedition, a tool used for configuration migration, tuning, and enrichment of firewall configurations. The vulnerability stems from missing authentication for a critical function, allowing attackers with network access to Expedition to take over administrator accounts without requiring valid credentials.

This vulnerability is particularly dangerous because Expedition stores sensitive configuration data, including secrets, credentials, and other imported data from firewall configurations. A successful exploitation could expose this sensitive information to unauthorized attackers, potentially compromising the security of the entire network infrastructure managed through Expedition.

Critical Impact
This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Attackers can achieve full administrative control over Expedition instances without authentication, exposing all imported firewall configurations, credentials, and secrets.

Affected Products

Palo Alto Networks Expedition (versions prior to the security patch)

Discovery Timeline

2024-07-10 - CVE-2024-5910 published to NVD
2025-11-04 - Last updated in NVD database

Technical Details for CVE-2024-5910

Vulnerability Analysis

This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), one of the most severe authentication bypass weakness categories. The flaw exists because a critical administrative function within Expedition lacks proper authentication controls, allowing unauthenticated attackers to access functionality that should be restricted to authenticated administrators only.

The attack requires only network-level access to the Expedition instance—no valid credentials, user interaction, or special privileges are needed. Once exploited, an attacker gains the ability to take over the Expedition admin account, effectively achieving complete control over the application and all data it manages.

The scope of impact extends beyond the immediate Expedition instance. Since Expedition is designed to handle firewall configuration migrations, it typically contains highly sensitive data including firewall rules, access policies, credentials, and configuration secrets imported from production environments. Compromise of this data could enable subsequent attacks against the broader network infrastructure.

Root Cause

The root cause is the absence of authentication enforcement on a critical administrative function within the Expedition application. This represents a fundamental design flaw where security-sensitive operations are exposed without requiring callers to prove their identity. Such missing authentication controls violate the principle of least privilege and fail to implement proper access control boundaries around sensitive functionality.

Attack Vector

The attack vector is network-based, requiring only that the attacker can reach the Expedition instance over the network. The exploitation path involves:

An attacker identifies an exposed Palo Alto Networks Expedition instance accessible over the network
The attacker accesses the vulnerable endpoint or function that lacks authentication controls
Without providing any credentials, the attacker is able to execute administrative functions
The attacker achieves admin account takeover, gaining full control over Expedition
All configuration data, secrets, and credentials stored in Expedition become accessible to the attacker

For detailed technical analysis of the exploitation chain, refer to the Horizon3 Attack Research which demonstrates how this vulnerability can be leveraged for full system compromise.

Detection Methods for CVE-2024-5910

Indicators of Compromise

Unexpected administrative actions or configuration changes in Expedition logs without corresponding authenticated sessions
Network traffic to Expedition from untrusted or unexpected IP addresses
New or modified admin accounts within Expedition that were not created by authorized personnel
Evidence of bulk data extraction or export operations from the Expedition database
Anomalous access patterns to Expedition APIs or administrative endpoints

Detection Strategies

Monitor Expedition access logs for unauthenticated requests to administrative endpoints
Implement network-level monitoring to detect connections to Expedition from unauthorized sources
Deploy intrusion detection signatures that identify exploitation attempts targeting the missing authentication flaw
Audit admin account activity and alert on any account modifications or creations
Review firewall logs for unusual traffic patterns to Expedition instances

Monitoring Recommendations

Enable comprehensive logging on Expedition instances and forward logs to a centralized SIEM
Set up alerts for administrative actions that occur without proper authentication context
Monitor for data exfiltration indicators including large file transfers from Expedition
Implement network segmentation alerts to detect unauthorized access attempts to Expedition network segments

How to Mitigate CVE-2024-5910

Immediate Actions Required

Update Palo Alto Networks Expedition to the latest patched version immediately
Restrict network access to Expedition to only authorized administrators and systems
Audit all admin accounts in Expedition for unauthorized changes or additions
Review exported or accessed configuration data for signs of unauthorized access
Rotate any credentials or secrets that were stored in potentially compromised Expedition instances

Patch Information

Palo Alto Networks has released a security patch to address this vulnerability. Organizations should apply the patch as their primary remediation strategy. Detailed patch information and affected version details are available in the Palo Alto Networks Security Advisory.

This vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, which mandates federal agencies to remediate by specified deadlines. All organizations should treat this as a high-priority patch.

Workarounds

Isolate Expedition instances behind a VPN or firewall, restricting access to only trusted networks
Implement network-level access controls to limit which IP addresses can connect to Expedition
Disable or decommission Expedition instances that are not actively needed
Consider migrating sensitive configuration data out of Expedition until patching is complete
Enable additional authentication layers such as certificate-based authentication if supported

bash

# Network isolation example - restrict access to Expedition
# Add firewall rules to limit Expedition access to trusted management IPs only
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

# Verify Expedition is not exposed to untrusted networks
netstat -tlnp | grep -E ":443|:80"

CVE-2024-5910 Overview

Critical Impact
This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Attackers can achieve full administrative control over Expedition instances without authentication, exposing all imported firewall configurations, credentials, and secrets.

Affected Products

Palo Alto Networks Expedition (versions prior to the security patch)

Discovery Timeline

2024-07-10 - CVE-2024-5910 published to NVD
2025-11-04 - Last updated in NVD database

Technical Details for CVE-2024-5910

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector is network-based, requiring only that the attacker can reach the Expedition instance over the network. The exploitation path involves:

An attacker identifies an exposed Palo Alto Networks Expedition instance accessible over the network
The attacker accesses the vulnerable endpoint or function that lacks authentication controls
Without providing any credentials, the attacker is able to execute administrative functions
The attacker achieves admin account takeover, gaining full control over Expedition
All configuration data, secrets, and credentials stored in Expedition become accessible to the attacker

For detailed technical analysis of the exploitation chain, refer to the Horizon3 Attack Research which demonstrates how this vulnerability can be leveraged for full system compromise.

Detection Methods for CVE-2024-5910

Indicators of Compromise

Unexpected administrative actions or configuration changes in Expedition logs without corresponding authenticated sessions
Network traffic to Expedition from untrusted or unexpected IP addresses
New or modified admin accounts within Expedition that were not created by authorized personnel
Evidence of bulk data extraction or export operations from the Expedition database
Anomalous access patterns to Expedition APIs or administrative endpoints

Detection Strategies

Monitor Expedition access logs for unauthenticated requests to administrative endpoints
Implement network-level monitoring to detect connections to Expedition from unauthorized sources
Deploy intrusion detection signatures that identify exploitation attempts targeting the missing authentication flaw
Audit admin account activity and alert on any account modifications or creations
Review firewall logs for unusual traffic patterns to Expedition instances

Monitoring Recommendations

Enable comprehensive logging on Expedition instances and forward logs to a centralized SIEM
Set up alerts for administrative actions that occur without proper authentication context
Monitor for data exfiltration indicators including large file transfers from Expedition
Implement network segmentation alerts to detect unauthorized access attempts to Expedition network segments

How to Mitigate CVE-2024-5910

Immediate Actions Required

Update Palo Alto Networks Expedition to the latest patched version immediately
Restrict network access to Expedition to only authorized administrators and systems
Audit all admin accounts in Expedition for unauthorized changes or additions
Review exported or accessed configuration data for signs of unauthorized access
Rotate any credentials or secrets that were stored in potentially compromised Expedition instances

Patch Information

Workarounds

Isolate Expedition instances behind a VPN or firewall, restricting access to only trusted networks
Implement network-level access controls to limit which IP addresses can connect to Expedition
Disable or decommission Expedition instances that are not actively needed
Consider migrating sensitive configuration data out of Expedition until patching is complete
Enable additional authentication layers such as certificate-based authentication if supported

bash

# Network isolation example - restrict access to Expedition
# Add firewall rules to limit Expedition access to trusted management IPs only
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

# Verify Expedition is not exposed to untrusted networks
netstat -tlnp | grep -E ":443|:80"

CVE-2024-5910: Palo Alto Expedition Auth Bypass Flaw

CVE-2024-5910 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-5910

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-5910

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-5910

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2024-5910: Palo Alto Expedition Auth Bypass Flaw

CVE-2024-5910 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-5910

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-5910

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-5910

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform