CVE-2024-5910

CRITICAL KEV NUCLEI

Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)

Title source: metasploit

Exploitation Summary

CVE-2024-5910 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 7, 2024. EIP tracks 2 public exploits from researchers including ByteHunter, Michael Heinzl, Zach Hanley, Enrique Castillo, Brian Hysell, including a Metasploit module exploits/linux/http/paloalto_expedition_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets Palo Alto Networks Expedition versions 1.2 to 1.2.90.1 by sending a GET request to '/OS/startup/restore/restoreAdmin.php' to reset the admin password to 'paloalto'. It is a simple, reliable authentication bypass exploit.

Description

Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.

Exploits (2)

exploitdb WORKING POC

by ByteHunter · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52129

View Code ZIP pw:eip

This exploit targets Palo Alto Networks Expedition versions 1.2 to 1.2.90.1 by sending a GET request to '/OS/startup/restore/restoreAdmin.php' to reset the admin password to 'paloalto'. It is a simple, reliable authentication bypass exploit.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Palo Alto Networks Expedition 1.2 < 1.2.92

No auth needed

Prerequisites: Network access to the target · Expedition service running on the target

MITRE ATT&CK

T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Michael Heinzl, Zach Hanley, Enrique Castillo, Brian Hysell · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/paloalto_expedition_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2024-5910 (admin password reset) and CVE-2024-9464 (authenticated OS command injection) in Palo Alto Expedition. It first resets the admin password if no credentials are provided, then leverages an authenticated command injection in the 'start_time' parameter of the CronJobs.php endpoint to achieve RCE.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Palo Alto Expedition <= 1.2.91

Auth required

Prerequisites: network access to the target · default or reset admin credentials

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 23, 2026 Full analysis →

Nuclei Templates (1)

Palo Alto Expedition - Admin Account Takeover

CRITICALVERIFIEDby johnk3r

Shodan: http.favicon.hash:1499876150

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-5910

Vendor Advisory vendor-advisory

https://security.paloaltonetworks.com/CVE-2024-5910

Scores

CVSS v3 9.8

EPSS 0.9103

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-11-07

VulnCheck KEV 2024-11-07

InTheWild.io 2024-11-07

ENISA EUVD EUVD-2024-47042

CWE

CWE-306

Status published

Products (1)

paloaltonetworks/expedition 1.2.0 - 1.2.92

Published Jul 10, 2024

KEV Added Nov 07, 2024

Tracked Since Feb 18, 2026