CVE-2024-5910
Published: 10 July 2024
Summary
CVE-2024-5910 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Paloaltonetworks Expedition. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2024-5910 is a missing authentication for critical function vulnerability, tracked under CWE-306, that affects Palo Alto Networks Expedition. The tool assists with configuration migration, tuning, and enrichment, and the flaw can result in admin account takeover when an attacker has network access to an Expedition instance. Imported configuration secrets, credentials, and other data are placed at risk by successful exploitation.
Attackers with network access to Expedition can exploit the issue without any authentication to seize administrative control of the application. This grants them the ability to access or exfiltrate sensitive data stored within the system.
Palo Alto Networks has published security advisories for the vulnerability, and it appears in the CISA Known Exploited Vulnerabilities catalog.
The associated EPSS score reached a peak of 0.9710 with a current value of 0.9103, and public research demonstrating full compromise paths has been released alongside the disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47042
Vulnerability details
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets,…
more
credentials, and other data imported into Expedition is at risk due to this issue.
- CWE(s)
- KEV Date Added
- 07 November 2024
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on admin password reset enables exploitation of a public-facing web application (T1190) for local admin account takeover (T1078.003), exposing stored configuration secrets and credentials (T1552.001).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on all critical functions, blocking the unauthenticated admin takeover path described in CVE-2024-5910.
Requires identification and authentication of users before granting access to Expedition, eliminating the missing-authentication condition that enables remote account takeover.
Mandates authenticated and authorized remote access mechanisms for Expedition, limiting the network-access attack surface that allows unauthenticated exploitation.