CVE-2024-5910 – CVE-2024-5910 is a critical authentication bypa... (How to Fix)

Q: What is the severity of CVE-2024-5910?

CVE-2024-5910 has a CVSS score of 9.8 (CRITICAL). CVE-2024-5910 is a critical authentication bypass vulnerability in Palo Alto Networks Expedition that allows unauthenticated attackers with network access to take over admin accounts. This exposes all configuration secrets, credentials, and sensitive data imported into Expedition. Organizations using Expedition for configuration migration and management are affected.

📋 TL;DR

CVE-2024-5910 is a critical authentication bypass vulnerability in Palo Alto Networks Expedition that allows unauthenticated attackers with network access to take over admin accounts. This exposes all configuration secrets, credentials, and sensitive data imported into Expedition. Organizations using Expedition for configuration migration and management are affected.

💻 Affected Systems

Products:

Palo Alto Networks Expedition

Versions: All versions prior to 2.3.24

Operating Systems: Linux-based deployment

Default Config Vulnerable: ⚠️ Yes

Notes: Expedition is typically deployed as a virtual appliance or container. The vulnerability affects all deployments regardless of configuration.

📦 What is this software?

Expedition by Paloaltonetworks

View all CVEs affecting Expedition →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Expedition instance leading to theft of all stored credentials, configuration secrets, and sensitive network data, potentially enabling lateral movement to other systems.

🟠

Likely Case

Attackers gain administrative control of Expedition, access sensitive configuration data including firewall rules, VPN credentials, and administrative secrets.

🟢

If Mitigated

Limited impact if Expedition is isolated in a secure network segment with strict access controls and monitoring.

🌐 Internet-Facing: HIGH - If Expedition is exposed to the internet, attackers can easily exploit this without authentication.

🏢 Internal Only: HIGH - Even internally, any attacker with network access to Expedition can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial and has been observed in the wild. CISA has added this to their Known Exploited Vulnerabilities catalog.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Expedition 2.3.24 and later

Vendor Advisory: https://security.paloaltonetworks.com/CVE-2024-5910

Restart Required: Yes

Instructions:

1. Download Expedition 2.3.24 or later from Palo Alto support portal. 2. Backup current Expedition configuration. 3. Deploy the updated version. 4. Restart Expedition services. 5. Verify functionality.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to Expedition to only trusted administrative networks

Use firewall rules to limit access to Expedition IP/port to specific source IPs

Access Control Lists

linux

Implement network ACLs to restrict access to Expedition management interface

iptables -A INPUT -p tcp --dport <expedition_port> -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <expedition_port> -j DROP

🧯 If You Can't Patch

Immediately isolate Expedition from all non-essential networks using firewall rules
Implement strict network segmentation and monitor all access attempts to Expedition

🔍 How to Verify

Check if Vulnerable:

Check Expedition version via web interface or CLI. Versions below 2.3.24 are vulnerable.

Check Version:

Check web interface dashboard or use system information commands specific to Expedition deployment

Verify Fix Applied:

Verify version is 2.3.24 or higher in Expedition web interface or via system information commands

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to admin endpoints
Unusual admin account creation or modification
Access from unexpected source IPs

Network Indicators:

Unusual traffic patterns to Expedition management interface
Unauthenticated API calls to sensitive endpoints

SIEM Query:

source="expedition" AND (event_type="authentication_failure" OR event_type="admin_account_modified")

📊 Metadata

CVE ID: CVE-2024-5910

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: July 10, 2024

Last Updated: November 4, 2025

🔗 References

https://security.paloaltonetworks.com/CVE-2024-5910 Vendor Advisory
https://security.paloaltonetworks.com/CVE-2024-5910 Vendor Advisory
https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-5910 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5910, you might also want to check these: