The migration tool you finished with in October is still holding your firewall passwords
Expedition stores cleartext PAN-OS admin credentials for every firewall it ever touched. Three critical CVEs, two of them actively exploited, and the tool went EOL in December. If it's still running, it's a credential dump waiting to happen.
Someone on your team ran a firewall migration last year. Maybe it was a Check Point cutover, maybe an ASA decommission. They spun up Palo Alto’s Expedition tool on an Ubuntu 20.04 box, imported the configs, generated the PAN-OS policies, finished the project, and moved on. Nobody uninstalled it. It’s still sitting on an internal server somewhere, and it’s still holding cleartext admin credentials and API keys for every firewall it ever touched. The CVEs are bad on their own, but the real exposure is the leftover instance nobody decommissioned.
What changed
Palo Alto published advisory PAN-SA-2024-0010 on October 9, 2024, covering three critical Expedition bugs plus two lower-severity ones. The patch landed in Expedition 1.2.96 a week earlier, on October 2. Then on November 14, CISA added two of them to the KEV catalog with confirmed active exploitation and a federal remediation deadline of December 5.
The headline bug is CVE-2024-9463, an unauthenticated OS command injection rated 9.9 on CVSS 4.0 with a 98.4% EPSS score. It runs arbitrary commands as root, no login required. Pair it with CVE-2024-9465, an unauthenticated SQL injection (9.2 CVSS 4.0, 99.6% EPSS), and you get the full chain: read the database, dump the password hashes, device configs, and API keys, then execute as root. Horizon3.ai demonstrated that chain publicly on October 11, three days after the advisory.
There’s a third critical, CVE-2024-9464, an authenticated command injection at 9.3, but it needs a valid session so CISA left it off the KEV list. CVE-2024-9466 (CVSS 8.2) is separate: cleartext credential storage, meaning Expedition wrote firewall passwords and API keys to a debug log file in unpatched versions.
What it means for your environment
Treat Expedition as a credential store, not a migration utility. Per Palo Alto’s advisory, a successful exploit exposes “usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.” Those aren’t Expedition’s own credentials. They’re the admin logins and API keys for your production firewalls and Panorama.
So the blast radius isn’t the migration box. It’s every firewall that box ever talked to. If an attacker reached an unpatched instance, the assumption you have to make is that they walked away with admin access to the production fleet, not just a dead migration server.
The deployment shape makes this worse. Expedition needs a network path to the firewalls it manages, which means it sits inside your network with API reach into the devices that enforce your perimeter. Palo Alto describes Expedition as a tool for temporary use during migration, not ongoing production. The EOL announcement confirms they’ve wound it down entirely. But there was never an official decommissioning procedure, so the common failure mode is exactly the one in the opening: migration done, box left running, nobody owns it anymore.
Expedition isn’t designed to be internet-facing. Even so, Censys found roughly 45 internet-exposed instances at time of disclosure. The internal count is unknown, which is the honest answer and also the uncomfortable one. The instances you can’t see are the ones that aren’t in any asset inventory because they were supposed to be temporary.
If this pattern feels familiar, it’s the same shape as the FortiManager “FortiJump” advisory from the same month: a management-plane tool that aggregates credentials for production infrastructure, exploited precisely because it isn’t treated like a perimeter device.
What you need to do
First, find out if you have it. Check asset inventories, but also ask the people who ran migrations last year, because the box probably isn’t tagged correctly. Look for Ubuntu 20.04 hosts with Expedition on them.
If you find one:
- Patch to 1.2.96 or later if you’re below that. The fix shipped October 2, 2024, before EOL, so the version exists even though the product doesn’t anymore.
- Shut it down and uninstall it. The tool reached End of Life on December 31, 2024. No more patches, no more support. Palo Alto points you to Strata Cloud Management for future migration work. There is no reason to keep a live Expedition instance on your network in 2026.
- Rotate credentials, in order. First the Expedition usernames, passwords, and API keys. Then every PAN-OS firewall admin credential and API key for every device that was ever configured through that instance. The second step is the one people skip, and it’s the one that actually closes the exposure.
If you can’t patch and uninstall today, restrict network access to Expedition to authorized hosts only, and shut it down if it isn’t actively in use.
On forensics, set your expectations low. Palo Alto’s advisory says plainly: “There are no practical indicators of compromise for the remainder of the CVEs in this advisory.” Per Horizon3.ai’s technical walkthrough, you can check the access log for requests to the vulnerable parser and restore endpoints, and review the debug log file timestamps for unexpected access, but detection is genuinely hard here. If you find an unpatched, exposed instance, the safe move is to assume the stored credentials leaked and rotate the firewall admin keys before you touch anything else on the managed devices.
The window
The federal deadline was December 5, 2024. For everyone else, the deadline was whenever you found out, which for a lot of teams is now. About five weeks separated the October 9 patch from the November 14 KEV listing, and any team that filed this as a low-priority “migration tool update” in that window lost it.
The honest framing: if you confirmed Expedition was uninstalled and credentials were rotated last year, you’re done. This isn’t a fresh fire. But if you don’t know whether that box still exists, that uncertainty is the finding. An unaccounted-for Expedition instance is functionally a plaintext export of your firewall admin credentials sitting on an unpatched, end-of-life server with public exploit code available for it.
The patch was the easy part, and it’s long done. The work that’s left is the inventory question nobody wanted to own: where did that migration box go, and did anyone ever turn it off? PatchDayAlert tracks exactly this kind of leftover-infrastructure risk in the daily digest, because the CVE that gets you is rarely the one on a device you’re actively managing.
Sources
- Palo Alto PSIRT Advisory PAN-SA-2024-0010 — 2024-10-09
- CyberScoop: CISA warns of Palo Alto Expedition exploits — 2024-11-14
- NVD CVE-2024-9463 — 2024-10
- NVD CVE-2024-9465 — 2024-10
- Horizon3.ai: Palo Alto Expedition — From N-Day to Full Compromise — 2024-10-11
- SOCRadar: Vulnerabilities in Palo Alto Networks Expedition expose firewall credentials — 2024-10
- Palo Alto Expedition EOL announcement — 2024
- BleepingComputer: CISA warns of critical Palo Alto Networks bug exploited in attacks — 2024-11-14
Share
Related field notes
-
CISA says patch by Friday. Palo Alto's fix ships next Tuesday.
CVE-2026-0300 is an unauthenticated RCE in PAN-OS Captive Portal, exploited since April 9 by a state-aligned actor. The KEV deadline is May 9. The first patch lands May 13. Here's what to do with the four days in between.
-
Your firewall management console was the breach. Cisco FMC CVE-2026-20131.
CVSS 10.0 unauthenticated RCE in Cisco FMC was exploited as a zero-day for 36 days. Here's what the upgrade actually looks like.
-
Five edge and gateway bugs went under active attack in one week. Here is the patch order.
Ivanti Sentry, Splunk, FortiSandbox, Ubiquiti UniFi OS, and Cisco SD-WAN Manager were all under active exploitation in the same seven days. A ranked, operator-focused breakdown of what to patch first and why.
Get the free CVE triage cheat sheet
Subscribe and we'll email you the one-page triage flow for fresh CVEs. Plus the weekly digest.
Subscribe