Cyber Resilience

CVE-2024-9465

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 09 October 2024

Published
09 October 2024
Modified
04 November 2025
KEV Added
14 November 2024
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Amber
EPSS Score 0.9429 99.9th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9465 is a critical-severity SQL Injection (CWE-89) vulnerability in Paloaltonetworks Expedition. Its CVSS base score is 9.2 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-9465 is an SQL injection vulnerability, tracked under CWE-89, that affects Palo Alto Networks Expedition. An unauthenticated attacker can leverage the flaw to extract contents from the Expedition database, including password hashes, usernames, device configurations, and device API keys, while also creating and reading arbitrary files on the underlying system. The issue carries a CVSS 4.0 score of 9.2.

An unauthenticated remote attacker can exploit the vulnerability over the network without user interaction or credentials, obtaining sensitive credentials and configuration data that enable further compromise of managed devices and the Expedition host itself.

Palo Alto Networks addresses the issue in security advisory PAN-SA-2024-0010. The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. Horizon3.ai has published research detailing the path from this flaw to full system compromise, consistent with the current EPSS score of 0.9429.

EU & UK References

Vulnerability details

An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on…

more

the Expedition system.

CWE(s)
KEV Date Added
14 November 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

paloaltonetworks
expedition
1.2.0 — 1.2.96

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of inputs to the Expedition web interface, blocking the crafted SQL statements that enable unauthenticated database extraction and arbitrary file operations.

prevent

Enforces that only authenticated and authorized subjects may invoke Expedition functions, eliminating the unauthenticated attack vector described in the CVE.

detect

Enables monitoring of database query patterns and file-system activity on the Expedition host, surfacing the anomalous behavior that results from successful SQL injection.

References