Description
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on macOS allows a local administrator to disable the agent. This issue could be leveraged by malware to perform malicious activity without detection.
Published: 2026-03-11
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Detection Bypass
Action: Patch
AI Analysis

Impact

A local administrator on macOS can disable the Palo Alto Networks Cortex XDR Agent, allowing malware to operate undetected. This vulnerability involves a flaw in the agent’s protection mechanism and is classified as CWE-754, indicating a privilege or access control weakness. The effect is the loss of continuous monitoring and potential unauthorized activity.

Affected Systems

Affected products are the Palo Alto Networks Cortex XDR Agent on macOS. Vulnerable versions include releases prior to 8.9.0, prior to 8.7.101-CE, and prior to 8.3.102-CE. The CPE list confirms that 8.3‑CE, 8.3.101‑CE and 8.7‑CE are affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 4, indicating moderate severity, and an EPSS score of less than 1%, suggesting a low probability of exploitation. It is not listed in the CISA KEV catalog. Exploitation requires local administrator access on the macOS system; there is no evidence of a network‑based or remote attack vector.

Generated by OpenCVE AI on March 17, 2026 at 14:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cortex XDR Agent to version 8.9.0, 8.7.101-CE, 8.3.102-CE or any later release
  • Verify that the agent remains active and is not disabled by local administrator accounts

Generated by OpenCVE AI on March 17, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on macOS allows a local administrator to disable the agent. This issue could be leveraged by malware to perform malicious activity without detection.
Title Cortex XDR Agent: Local Administrator can disable the agent on macOS
First Time appeared Palo Alto Networks
Palo Alto Networks cortex Xdr Agent
Weaknesses CWE-754
CPEs cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.3-CE:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.3.101-CE:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.7-CE:*:*:*:*:macOS:*:*
Vendors & Products Palo Alto Networks
Palo Alto Networks cortex Xdr Agent
References
Metrics cvssV4_0

{'score': 4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber'}

Subscriptions

Palo Alto Networks Cortex Xdr Agent
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2026-03-11T20:19:05.966Z

Reserved: 2025-11-03T20:43:51.178Z

Link: CVE-2026-0230

cve-icon Vulnrichment

Updated: 2026-03-11T20:18:35.647Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T18:16:21.170

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-0230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:01Z

Weaknesses