Palo Alto Expedition - Information Disclosure (CVE-2024-9465)

CVE-2024-9465 is a SQL injection vulnerability in Palo Alto Networks Expedition which allows unauthenticated attackers to access sensitive database contents, including password hashes, usernames, device configurations, and API keys. This flaw can also be exploited to create and read arbitrary files on the Expedition system, potentially leading to further compromise and unauthorized access to critical infrastructure.

CrowdSec has been tracking this vulnerability and its exploits since 15th of December 2023.

Based on data from the CrowdSec network, nearly all observed exploitation of CVE-2024-9465 is fully opportunistic, with attackers indiscriminately scanning the entire internet. These attacks are automated and lack any form of target selection or reconnaissance. In addition, according to the CrowdSec network, attack volume against CVE-2024-9465 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers exploit the /bin/configurations/parsers/Checkpoint/CHECKPOINT.php endpoint by injecting SQL commands into the signatureid parameter, enabling unauthorized database queries and potential remote code execution.