CVE-2024-9464

MEDIUM

Palo Alto Networks Expedition 1.2.0-1.2.95 - Authenticated OS Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-9464. PoCs published by horizon3ai, Michael Heinzl, Zach Hanley, Enrique Castillo, Brian Hysell, including Metasploit module exploits/linux/http/paloalto_expedition_rce.

AI-analyzed exploit summary This PoC exploits CVE-2024-9464, an authenticated command injection vulnerability in Palo Alto Expedition. It chains with CVE-2024-5910 to reset admin credentials, then injects commands into a cronjob via the 'start_time' parameter.

Description

An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Exploits (2)

nomisec WORKING POC 45 stars

by horizon3ai · poc

https://github.com/horizon3ai/CVE-2024-9464

View Code ZIP pw:eip

This PoC exploits CVE-2024-9464, an authenticated command injection vulnerability in Palo Alto Expedition. It chains with CVE-2024-5910 to reset admin credentials, then injects commands into a cronjob via the 'start_time' parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Palo Alto Expedition

No auth needed

Prerequisites: Network access to target · Target must be vulnerable to CVE-2024-9464 and CVE-2024-5910

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Michael Heinzl, Zach Hanley, Enrique Castillo, Brian Hysell · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/paloalto_expedition_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2024-5910 (password reset) and CVE-2024-9464 (authenticated command injection) in Palo Alto Expedition to achieve remote code execution. It first resets the admin password if no credentials are provided, then leverages command injection in the cron job functionality.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Palo Alto Expedition <= 1.2.91

No auth needed

Prerequisites: Network access to the target · Default or reset admin credentials if no prior authentication

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://security.paloaltonetworks.com/PAN-SA-2024-0010

Various Sources exploit

https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/

Scores

CVSS v3 6.5

EPSS 0.8171

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

paloaltonetworks/expedition 1.2.0 - 1.2.96

Published Oct 09, 2024

Tracked Since Feb 18, 2026