Plattform
windows
Komponente
cortex-xdr-agent
Behoben in
7.9.102-CE
8.1.1
8.2.3
8.3.1
CVE-2024-5907 describes a privilege escalation vulnerability affecting the Palo Alto Networks Cortex XDR agent on Windows devices. Successful exploitation allows a local user to execute programs with elevated privileges, potentially leading to unauthorized access and control. This vulnerability impacts versions of the Cortex XDR agent up to and including 8.4.0. Palo Alto Networks has advised users to upgrade to a patched version to address this issue.
The primary impact of CVE-2024-5907 is the potential for a local user to gain elevated privileges on a Windows system where the Cortex XDR agent is installed. This could allow an attacker to bypass security controls, install malicious software, modify system configurations, or access sensitive data. While the vulnerability requires exploitation of a race condition, successful exploitation could grant near-complete control over the affected system. The blast radius extends to any data or resources accessible by the user with elevated privileges, potentially impacting the entire network if the compromised system has access to sensitive resources.
CVE-2024-5907 was publicly disclosed on June 12, 2024. The vulnerability's exploitation requires a race condition, which makes it more difficult to exploit than vulnerabilities that do not have this requirement. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is likely to be assessed as medium due to the complexity of exploitation, but this is pending official evaluation. This CVE is not currently listed on the CISA KEV catalog.
Organizations deploying Palo Alto Networks Cortex XDR agent on Windows systems, particularly those with less stringent local account privilege controls, are at risk. Environments with a high number of local administrator accounts or those lacking robust monitoring of process execution are especially vulnerable.
• windows / supply-chain:
Get-Process -Name CortexXdrAgent | Select-Object -ExpandProperty CPU• windows / supply-chain:
Get-WinEvent -LogName Application -Filter "EventID = 1000 -ProviderName PaloAltoNetworks.CortexXDRAgent" | Select-String -Pattern "error"• windows / supply-chain:
Get-ScheduledTask | Where-Object {$_.TaskName -like '*CortexXdrAgent*'} | Format-List TaskName, Statedisclosure
Exploit-Status
EPSS
0.08% (25% Perzentil)
CISA SSVC
The primary mitigation for CVE-2024-5907 is to upgrade the Cortex XDR agent to a version patched against this vulnerability. Palo Alto Networks has likely released a fixed version; consult their security advisories for details. As a temporary workaround, consider implementing stricter access controls and monitoring for suspicious activity on systems running the vulnerable agent. While a direct WAF rule is unlikely to be effective, reviewing agent logs for unusual process execution patterns could provide early detection. After upgrading, confirm the fix by attempting to reproduce the race condition and verifying that the attempted privilege escalation fails.
Actualice el agente Cortex XDR a la última versión disponible. Específicamente, asegúrese de que la versión sea 7.9.102-CE o superior, 8.2.3 o superior, o 8.3.1 o superior. Esto mitigará la vulnerabilidad de escalada de privilegios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-5907 is a vulnerability in the Palo Alto Networks Cortex XDR agent for Windows that allows a local user to potentially gain elevated privileges by exploiting a race condition.
You are potentially affected if you are running Palo Alto Networks Cortex XDR agent version 8.4.0 or earlier on Windows systems.
Upgrade the Cortex XDR agent to a version that includes the fix. Check Palo Alto Networks' security advisories for the latest fixed version.
There are currently no confirmed reports of active exploitation, but the vulnerability's potential impact warrants prompt mitigation.
Refer to the Palo Alto Networks security advisory page for the latest information and updates regarding CVE-2024-5907.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.