CVE-2024-9464 CRITICAL

CVE-2024-9464: Expedition: Authenticated OS Command Injection Vulnerability Leads to Firewall Admin Credential Disclosure

Vendor Palo Alto Networks
Product Expedition
Weakness CWE-78
Published October 9, 2024
Last update October 18, 2024

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Amber

What the vulnerability does

01Description

An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Key dates

02Disclosure timeline

October 9, 2024 CVE published
October 18, 2024 Record updated