CVE-2024-9464: 
Palo Alto Expedition vulnerability analysis and mitigation

An OS command injection vulnerability (CVE-2024-9464) exists in Palo Alto Networks Expedition that allows an authenticated attacker to run arbitrary OS commands as root. The vulnerability affects Expedition versions prior to 1.2.96 and was discovered in July 2024. Expedition is a tool designed to help migrate configurations from supported vendors like Checkpoint and Cisco to Palo Alto Networks systems (Palo Advisory, Horizon3 Research).

The vulnerability stems from improper input validation in the CronJobs.php file, where authenticated users can inject malicious commands through the start_time parameter. When the recurrence is set to 'Daily', the command is constructed using user-controlled variables without proper sanitization. The vulnerability has been assigned a CVSS v4.0 score of 9.3 (Critical) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N (Palo Advisory, Horizon3 Research).

Successful exploitation of this vulnerability can result in the disclosure of sensitive information including usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. The attacker gains root-level access to the Expedition system, allowing complete control over the application and access to all stored credentials (NVD, Wiz Blog).

Organizations should upgrade to Expedition version 1.2.96 or later, which addresses this vulnerability. Additional recommended mitigations include limiting network access to Expedition systems to authorized personnel only, rotating all Expedition-related credentials after upgrading, and disabling Expedition software if not actively in use. System logs should be monitored for suspicious activities targeting specific endpoints like /bin/CronJobs.php (Palo Advisory, Wiz Blog).