CVE-2024-9465 Overview
CVE-2024-9465 is an SQL injection vulnerability in Palo Alto Networks Expedition, the vendor's firewall migration and configuration tool. An unauthenticated attacker can exploit the flaw over the network to read arbitrary contents from the Expedition database, including password hashes, usernames, device configurations, and device API keys. The vulnerability also enables attackers to create and read arbitrary files on the underlying Expedition system, expanding the impact beyond simple data disclosure. CISA added CVE-2024-9465 to the Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation. The flaw is tracked as CWE-89: SQL Injection.
Critical Impact
Unauthenticated attackers can extract firewall credentials and API keys from Expedition, then pivot to manage production Palo Alto Networks devices.
Affected Products
- Palo Alto Networks Expedition (all versions prior to the vendor's fix in PAN-SA-2024-0010)
- Expedition deployments exposed to untrusted networks
- Environments where Expedition holds migrated firewall configurations and API keys
Discovery Timeline
- 2024-10-09 - CVE-2024-9465 published to the National Vulnerability Database
- 2024-10-09 - Palo Alto Networks publishes advisory PAN-SA-2024-0010
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-9465
Vulnerability Analysis
The vulnerability stems from improper neutralization of user-supplied input in SQL statements executed by Expedition. Because the affected endpoints do not require authentication, a remote attacker can submit crafted parameters that alter the structure of backend queries. The injection grants direct access to the Expedition PostgreSQL database, where firewall migration data is stored in cleartext or recoverable form.
Exploitation discloses password hashes for Expedition users, plaintext device credentials, and API keys for managed Palo Alto Networks firewalls. Attackers who recover device API keys can subsequently authenticate to production firewalls and modify policy. The vulnerability further allows file read and file write primitives on the Expedition host through SQL functions that interact with the filesystem, enabling persistence or staging of follow-on tooling.
Public analysis by Horizon3 attack research demonstrates chaining this SQL injection with related Expedition flaws to achieve full system compromise.
Root Cause
The root cause is the construction of SQL queries with concatenated, unsanitized request parameters in unauthenticated PHP endpoints of the Expedition web application. The code path lacks parameterized queries and input validation, allowing query structure manipulation.
Attack Vector
An attacker reaches the vulnerable endpoint over HTTP or HTTPS without credentials. By appending SQL syntax to parameters consumed by the affected endpoint, the attacker forces the database to return arbitrary rows or execute COPY and lo_* operations that interact with the host filesystem. No user interaction is required.
No verified exploit code is provided here. Refer to the Horizon3 attack research analysis for technical reproduction details.
Detection Methods for CVE-2024-9465
Indicators of Compromise
- Unauthenticated HTTP/HTTPS requests to Expedition endpoints containing SQL meta-characters such as ', UNION SELECT, --, or ; in query or body parameters
- New or unexpected files written under the Expedition web root or /tmp directory
- Outbound API calls to managed firewalls originating from Expedition outside scheduled migration windows
- PostgreSQL log entries showing COPY, pg_read_file, or lo_export invocations from the Expedition application user
Detection Strategies
- Inspect Expedition web server access logs for anomalous parameter content and high request volumes from a single source
- Correlate Expedition database query logs with web request logs to identify injected query structures
- Alert on creation of .php or shell-script files inside Expedition web directories after deployment
- Monitor for use of Expedition-stored firewall API keys from IP addresses that are not the Expedition host
Monitoring Recommendations
- Forward Expedition apache2, nginx, and PostgreSQL logs to a central SIEM or data lake for retention and query
- Enable file integrity monitoring on the Expedition web root and configuration directories
- Baseline outbound connections from the Expedition host and alert on deviations
How to Mitigate CVE-2024-9465
Immediate Actions Required
- Upgrade Expedition to the fixed version listed in PAN-SA-2024-0010
- Rotate all Expedition user passwords, firewall credentials, and device API keys that were stored in Expedition prior to patching
- Restrict network access to Expedition so only authorized administrator workstations can reach the management interface
- Review Expedition and managed firewall audit logs for unauthorized configuration changes
Patch Information
Palo Alto Networks released a fixed version of Expedition addressing CVE-2024-9465 alongside related Expedition vulnerabilities. Apply the update referenced in PAN-SA-2024-0010. Because CISA lists this CVE in the Known Exploited Vulnerabilities catalog, federal agencies are required to remediate within the BOD 22-01 timeline.
Workarounds
- Remove Expedition from any internet-exposed network segment until patched
- Place Expedition behind a VPN or jump host that enforces strong authentication
- Shut down the Expedition service when not actively performing migrations
- Revoke and reissue device API keys after confirming the system is clean
# Restrict Expedition to a management subnet using iptables
iptables -A INPUT -p tcp --dport 443 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
