CVE-2026-0230
Bypass Protection Vulnerability in Palo Alto Cortex XDR macOS Agent
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: Palo Alto Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| palo_alto_networks | cortex_xdr_agent | * |
| palo_alto_networks | cortex_xdr_agent | to 8.3.102-CE (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability exists in the Palo Alto Networks Cortex XDR Agent on macOS, where a flaw in the agent's protection mechanism allows a local administrator to disable the agent."}, {'type': 'paragraph', 'content': 'Because the agent can be disabled, malware could leverage this to perform malicious activities without being detected by the security software.'}, {'type': 'paragraph', 'content': 'The issue affects versions prior to 8.7.101-CE and 8.3.102-CE on macOS, while versions 8.7.101-CE, 8.3.102-CE, 8.9.0, and later are not affected.'}, {'type': 'paragraph', 'content': 'Exploitation requires local access with high privileges but no user interaction, and no special configuration is needed to exploit it.'}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing malware or an attacker with local administrator privileges to disable the Cortex XDR Agent on macOS.
Once disabled, the security agent cannot detect or prevent malicious activity, potentially leading to undetected attacks.
The impact is primarily on product availability, meaning the security protection is unavailable, but confidentiality and integrity of data are not directly affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a local administrator being able to disable the Palo Alto Networks Cortex XDR agent on macOS. Detection would involve verifying whether the Cortex XDR agent is running and has not been disabled.
You can check the status of the Cortex XDR agent on macOS by using system commands to verify if the agent process is active or if its services are running.
- Use the command: `ps aux | grep CortexXDR` to check if the Cortex XDR agent process is running.
- Use `launchctl list | grep com.paloaltonetworks.cortexxdr` to verify if the launch daemon for the agent is loaded and active.
- Check system logs for any recent events indicating the agent was stopped or disabled.
Monitoring for unexpected stoppage or disabling of the agent can help detect exploitation attempts of this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Palo Alto Networks Cortex XDR agent on macOS to a fixed version.
- Upgrade the Cortex XDR agent to version 8.9.0, 8.7.101-CE, 8.3.102-CE, or any later release where this vulnerability is fixed.
Since the vulnerability requires local administrator privileges to exploit, limiting administrative access and monitoring privileged user activity can reduce risk.
- Restrict local administrator privileges to trusted personnel only.
- Implement monitoring and alerting for any attempts to stop or disable the Cortex XDR agent.
No special configuration is required to exploit this vulnerability, so patching is the most effective immediate action.