CVE-2026-0232
Bypass Protection Vulnerability in Palo Alto Cortex XDR Agent
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: Palo Alto Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| palo_alto_networks | cortex_xdr_agent | * |
| palo_alto_networks | cortex_xdr_agent | to 9.0.1 (exc) |
| palo_alto_networks | cortex_xdr_agent | to 8.9.1 (exc) |
| palo_alto_networks | cortex_xdr_agent | to 8.7.101-CE (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-15 | One or more system settings or configuration elements can be externally controlled by a user. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing malware to disable the Cortex XDR agent's protection, enabling malicious activity to occur undetected.
The primary impact is on system availability, as the security agent can be turned off, potentially compromising the system's defense against threats.
Confidentiality and integrity of data are not affected by this vulnerability.
Can you explain this vulnerability to me?
This vulnerability exists in the Palo Alto Networks Cortex XDR Agent on Windows and allows a local Windows administrator to disable the agent's protection mechanism.
Because of this flaw, malware could exploit the vulnerability to operate without being detected by the agent.
The issue is classified under CWE-15, which relates to external control of system or configuration settings, and CAPEC-578, which involves disabling security software.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a local Windows administrator being able to disable the Palo Alto Networks Cortex XDR agent, which may allow malware to operate undetected.
Detection would involve verifying whether the Cortex XDR agent is running and has not been disabled or tampered with.
Suggested commands to check the agent status on a Windows system include:
- Using PowerShell to check the service status: Get-Service -Name 'CortexXDRService' or the exact service name.
- Using Task Manager or command line: tasklist /FI "IMAGENAME eq CortexXDR.exe" to verify if the agent process is running.
- Checking event logs for any service stop or disable events related to the Cortex XDR agent.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to ensure that the Palo Alto Networks Cortex XDR agent is updated with Content Update (CU) version 2120 or higher.
For affected versions, apply the appropriate software updates:
- Upgrade to Cortex XDR Agent 9.1 or later, 9.0.1 or later, 8.9.1 or later, or 8.7.101-CE or later, which include architectural enhancements to harden the agent.
- For versions 8.3-CE and 7.9-CE, applying Content Update 2120 alone is sufficient without a full software upgrade.
No known workarounds exist, so applying the update is critical.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a local Windows administrator to disable the Palo Alto Networks Cortex XDR agent, potentially enabling malware to operate undetected and compromising system availability.
While the vulnerability impacts availability, it does not affect confidentiality or integrity of data.
Because availability is a key component of many compliance standards such as GDPR and HIPAA, this vulnerability could negatively impact compliance by increasing the risk of undetected malicious activity and system downtime.
Remediation through applying the Content Update 2120 or later is necessary to maintain protection and help ensure compliance with these standards.