How to Fix CVE-2024-9463: Palo Alto Networks Expedition OS Command Injection
*By Sai Kiran Pandrala*
| Severity | CVSS 9.9, Critical |
|---|---|
| Actively exploited? | Yes, listed in CISA KEV |
| Affected | Palo Alto Networks Expedition (firewall migration tool), see vendor advisory for affected versions |
| Fixed in | See the Palo Alto Networks advisory for the patched Expedition build |
| Type (CWE) | OS Command Injection |
⚠️ Take Expedition off the network until patched. Expedition is an internal migration helper, it should never have been internet-exposed. If yours was, treat it as compromised.
What is CVE-2024-9463?
Expedition is Palo Alto Networks' configuration migration tool, used by network teams to convert configs from third-party firewalls (or older PAN-OS versions) into modern PAN-OS configurations. The tool has an OS command injection vulnerability that allows an unauthenticated remote attacker to execute commands at the operating-system level on the Expedition host.
Why this matters: Expedition typically holds service-account credentials, firewall API keys, and exported config dumps containing pre-shared keys, RADIUS secrets, and admin passwords from the source environment. RCE on Expedition is effectively a credentials-for-the-whole-network compromise.
Am I affected?
You are affected if you operate Palo Alto Networks Expedition at any version below the patched build listed in the vendor advisory.
To check the Expedition version, log into the web UI and look at the version banner. Or from the Expedition CLI:
expedition --version
How to fix CVE-2024-9463
- Open the Palo Alto Networks security advisory linked below and confirm the patched Expedition build.
- Take Expedition off the public network immediately if it was exposed. It should not have been.
- Back up any in-progress migration projects before upgrading.
- Install the patched Expedition release following the vendor's documented upgrade procedure.
- Rotate every credential Expedition has touched — firewall API keys, source-vendor admin passwords, any RADIUS/TACACS+ keys present in imported configs.
Upgrade PAN-OS to the patched release
# Target PAN-OS build 1.2.96.
show system info | match sw-version
request system software download version 1.2.96
request system software install version 1.2.96
request restart system
# Post-reboot verification
show system info | match sw-version
Verify the fix landed
# 1. Confirm the running version matches the fixed-in version from the advisory:
# https://security.paloaltonetworks.com/PAN-SA-2024-0010
# Use the platform-specific version probe above.
# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
# The scanner should no longer flag CVE-2024-9463 on the patched target.
# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"
If you can't patch immediately
- Remove Expedition from the network entirely until patched. Expedition is intermittent-use tooling; you do not need it online 24/7.
- Restrict access to a single management workstation if total isolation is impossible.
How to verify the fix worked
Confirm Expedition is at the patched build via the web UI version banner. Re-run the credential rotation if not already done.
Frequently asked questions
Is CVE-2024-9463 actively exploited?
Yes. CVE-2024-9463 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.
What is the CVSS severity of CVE-2024-9463?
Critical. See the advisory for the full CVSS vector.
Where can I read the official advisory?
See https://security.paloaltonetworks.com/CVE-2024-9463
Does the patch require a reboot?
It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.
References
- Official Palo Alto Networks advisory: https://security.paloaltonetworks.com/CVE-2024-9463
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9463
- CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
*This guide was assembled from the official Palo Alto Networks advisory, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against the vendor advisory before applying changes in production.*
Related fixes
Other vulnerabilities in the same area that are worth patching alongside this one:
- How to Fix CVE-2024-0012: Authentication Bypass in Cloud NGFW — Authentication Bypass in Cloud NGFW
- How to Fix CVE-2024-3400: Palo Alto PAN-OS GlobalProtect Command Injection , Palo Alto PAN-OS GlobalProtect Command Injection
- How to Fix CVE-2024-5910: Authentication Bypass in Expedition , Authentication Bypass in Expedition
- How to Fix CVE-2024-9474: Command Injection in Cloud NGFW , Command Injection in Cloud NGFW
- How to Fix CVE-2024-9465: SQL Injection in Expedition , SQL Injection in Expedition