CVE-2024-9465

CRITICAL KEV NUCLEI

Palo Alto Networks Expedition 1.2.0-1.2.95 - Unauthenticated SQL Injection and Arbitrary File Write

Title source: llm

Exploitation Summary

CVE-2024-9465 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 14, 2024. EIP tracks 2 public exploits from researchers including horizon3ai, Qlng. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates an unauthenticated SQL injection vulnerability in Palo Alto Expedition by creating a checkpoint table and injecting a sleep-based payload to confirm exploitation. It targets a specific endpoint and leverages time-based blind SQLi.

Description

An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

Exploits (2)

nomisec WORKING POC 30 stars

by horizon3ai · infoleak

https://github.com/horizon3ai/CVE-2024-9465

View Code ZIP pw:eip

This PoC demonstrates an unauthenticated SQL injection vulnerability in Palo Alto Expedition by creating a checkpoint table and injecting a sleep-based payload to confirm exploitation. It targets a specific endpoint and leverages time-based blind SQLi.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Palo Alto Expedition (version not specified)

No auth needed

Prerequisites: Network access to the target endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Qlng · poc

https://github.com/Qlng/CVE-2024-9465

View Code ZIP pw:eip

This repository contains a Python-based proof-of-concept exploit for CVE-2024-9465, a time-based SQL injection vulnerability in Checkpoint's Expedition Project. The exploit demonstrates the vulnerability by injecting a sleep payload to confirm the presence of the SQLi.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Checkpoint Expedition Project

No auth needed

Prerequisites: Target URL with vulnerable endpoint

MITRE ATT&CK

T1505 - Server Software Component T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Palo Alto Expedition - SQL Injection

HIGHVERIFIEDby DhiyaneshDK

Shodan: http.favicon.hash:1499876150

References (3)

Core 3

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9465

Mitigation, Vendor Advisory vendor-advisory

https://security.paloaltonetworks.com/PAN-SA-2024-0010

Exploit exploit

https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/

Scores

CVSS v3 9.1

EPSS 0.9429

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-11-14

VulnCheck KEV 2024-11-12

InTheWild.io 2024-11-14

ENISA EUVD EUVD-2024-49957

CWE

CWE-89

Status published

Products (1)

paloaltonetworks/expedition 1.2.0 - 1.2.96

Published Oct 09, 2024

KEV Added Nov 14, 2024

Tracked Since Feb 18, 2026