Today, CISA warned that attackers are exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco and other vendors to PAN-OS.

This security flaw, watched as CVE-2024-5910, it was patches in Julyand threat actors can exploit it remotely to reset application administrator credentials on Expedition servers exposed to the Internet.

“Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to take over an Expedition administrator account and potentially access configuration secrets, credentials, and other data,” CISA say.

While the cybersecurity agency has yet to provide more details about these attacks, Horizon3.ai vulnerability researcher Zach Hanley released a proof of concept operation in October that may help chain this admin reset error with a CVE-2024-9464 Command injection vulnerability (patched last month) to achieve arbitrary “unauthenticated” command execution on vulnerable Expedition servers.

CVE-2024-9464 may be chained with other security flaws (also addressed by Palo Alto Networks in October) to take over firewall administrator accounts and hijack PAN-OS firewalls.

Administrators who cannot immediately install security updates to block incoming attacks are advised to restrict access to the Expedition network to authorized users, hosts, or networks.

“All Expedition usernames, passwords, and API keys should be rotated after upgrading to the fixed version of Expedition. All usernames, passwords and firewall API keys processed by Expedition should be rotated after the upgrade,” the company warns.

Palo Alto Networks has not yet updated security advice to warn customers about ongoing CVE-2024-5910 attacks.

Also CISA added vulnerability to it Catalog of known exploited vulnerabilities Thursday. According to the requirements of the mandatory operational directive (BOD 22-01) issued in November 2021, US federal agencies must now secure the vulnerable Palo Alto Networks Expedition servers on their networks against attack within three weeks, until November 28.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the cybersecurity agency warned.