Plattform
windows
Komponente
cortex-xdr-agent
Behoben in
8.4.1
8.3.1
8.2.1
8.1.2
7.9.102-CE
CVE-2024-5909 describes a local privilege escalation vulnerability affecting the Palo Alto Networks Cortex XDR agent for Windows. This flaw allows a low-privileged user on the affected system to disable the agent's protection mechanisms. Successful exploitation could enable malware to evade detection and carry out malicious activities without being monitored by the Cortex XDR system. The vulnerability impacts versions 7.9-CE through 8.4.0, and a patch is available in version 8.2.1.
The primary impact of CVE-2024-5909 is the ability for a low-privileged user to disable the Cortex XDR agent. This effectively blinds the security operations center (SOC) to activity on the affected endpoint. Malware, or other malicious actors, could leverage this to evade detection and execute their payloads without being observed by the XDR system. The blast radius extends to the entire endpoint, as any actions taken after the agent is disabled will not be logged or analyzed by Cortex XDR. This could lead to data exfiltration, system compromise, and lateral movement within the network.
This vulnerability has been publicly disclosed and is not currently listed on the CISA KEV catalog. There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The EPSS score is likely to be low to medium, given the requirement for local access and the availability of a straightforward mitigation (upgrade).
Organizations heavily reliant on the Cortex XDR agent for endpoint detection and response are at significant risk. Environments with a large number of low-privileged users, or those with weak user privilege management controls, are particularly vulnerable. Shared hosting environments where multiple users have access to the same endpoint are also at increased risk.
• windows / supply-chain:
Get-Process -Name "CortexXdrAgent" | Select-Object -ExpandProperty CPU• windows / supply-chain:
Get-Service -Name "CortexXdrAgentService" | Select-Object -ExpandProperty Status• windows / supply-chain:
Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='Cortex XDR Agent']]]" -MaxEvents 10• windows / supply-chain: Check Autoruns for suspicious entries related to the Cortex XDR agent.
disclosure
Exploit-Status
EPSS
0.86% (75% Perzentil)
CISA SSVC
The recommended mitigation is to immediately upgrade the Cortex XDR agent to version 8.2.1 or later. If an immediate upgrade is not possible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting user permissions to prevent modification of the agent's configuration. Monitor system logs for any unauthorized agent disabling attempts. While not a direct fix, implementing stricter local account policies and least privilege principles can reduce the likelihood of exploitation. After upgrading, verify agent functionality by confirming that it is running and actively sending data to the Cortex XDR console.
Actualice el agente Cortex XDR a la última versión disponible. Esto solucionará la vulnerabilidad que permite a usuarios locales con pocos privilegios deshabilitar el agente.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-5909 is a vulnerability in the Palo Alto Networks Cortex XDR agent for Windows that allows a low-privileged user to disable the agent's protection, potentially enabling malware to operate undetected.
You are affected if you are running Cortex XDR Agent versions 7.9-CE through 8.4.0 on Windows devices.
Upgrade the Cortex XDR agent to version 8.2.1 or later to resolve this vulnerability. Palo Alto Networks provides the patch.
While no public exploits are currently available, the vulnerability's ease of exploitation suggests a potential for future exploitation. Monitor threat intelligence feeds.
Refer to the Palo Alto Networks Security Advisories page for the official advisory regarding CVE-2024-5909: [https://knowledge.paloaltonetworks.com/kbase/kbv/detail/173632](https://knowledge.paloaltonetworks.com/kbase/kbv/detail/173632)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.