Description
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection.
Published: 2026-04-13
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Agent disablement enabling undetected activity
Action: Patch
AI Analysis

Impact

A flaw in the protection mechanism of the Palo Alto Networks Cortex XDR agent on Windows allows a user with local administrator privileges to disable the agent, effectively turning off endpoint detection controls. The weakness is tracked as CWE‑15, external control of system configuration, and while it does not grant remote code execution, it permits malicious activity to proceed without triggering the agent’s alerts.

Affected Systems

All installations of Cortex XDR Agent on Windows that have not applied content update 2120 are vulnerable, including older releases such as 8.7‑CE, 8.9.0, 9.0.0 and earlier. Installing the content update 2120 or upgrading the product to version 9.1.0, 9.0.1, 8.9.1, or 8.7.101‑CE removes the flaw. For releases 8.3‑CE and 7.9‑CE, applying content update 2120 alone is sufficient.

Risk and Exploitability

The CVSS score of 4.0 indicates a medium severity. Exploitation requires local administrator rights and does not provide remote code execution, but disabling the agent undermines the monitoring posture and increases the risk of undetected compromise. EPSS data are not available, and the vulnerability is not listed in the CISA KEV catalog. No workaround has been provided, so submittent remediation via patch or upgrade is the only mitigation path.

Generated by OpenCVE AI on April 13, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Content Update 2120 or later
  • If running an older software release, upgrade to Cortex XDR 9.1.0 or a later supported version (9.0.1, 8.9.1, or 8.7.101‑CE)
  • For versions 8.3‑CE and 7.9‑CE, apply content update 2120 only
  • No known workarounds exist

Generated by OpenCVE AI on April 13, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection.
Title Cortex XDR Agent: Local Administrator can disable the agent on Windows
First Time appeared Palo Alto Networks
Palo Alto Networks cortex Xdr Agent
Weaknesses CWE-15
CPEs cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.7-CE:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.9.0:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:9.0.0:*:*:*:*:Windows:*:*
Vendors & Products Palo Alto Networks
Palo Alto Networks cortex Xdr Agent
References
Metrics cvssV4_0

{'score': 4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber'}

Subscriptions

Palo Alto Networks Cortex Xdr Agent
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2026-04-13T13:27:43.511Z

Reserved: 2025-11-03T20:43:53.493Z

Link: CVE-2026-0232

cve-icon Vulnrichment

Updated: 2026-04-13T13:15:33.586Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T08:16:20.900

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-0232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:52:35Z

Weaknesses