Plateforme
windows
Composant
paloalto-cortex-xdr-agent
Corrigé dans
8.3-CE-CU-2120
7.9-CE-CU-2120
8.7.101-CE
8.9.1
9.0.1
5.10.14
Une vulnérabilité a été découverte dans le mécanisme de protection de l'agent Palo Alto Networks Cortex XDR pour Windows. Cette faille permet à un administrateur Windows local de désactiver l'agent, ce qui pourrait être exploité par des logiciels malveillants pour effectuer des activités malveillantes sans être détectés. La vulnérabilité affecte les versions 8.3 à 9.0.1 de l'agent Cortex XDR, et une correction est disponible dans la version 9.0.1.
The core impact of CVE-2026-0232 lies in the ability of a local Windows administrator to circumvent the Cortex XDR agent's protection mechanisms. By disabling the agent, an attacker can effectively blind the security system to their actions. This allows malware to execute commands, exfiltrate data, or establish persistence without being detected by the agent's monitoring and response capabilities. The blast radius is limited to systems where a local administrator has been compromised, but the potential for data breaches and system compromise is significant. This vulnerability is particularly concerning given the agent's role in threat detection and response.
CVE-2026-0232 was publicly disclosed on 2026-04-13. As of this date, there are no publicly available proof-of-concept exploits. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. Active campaigns targeting this vulnerability are not currently known, but the ease of exploitation (requiring only local administrator access) suggests it could become a target for opportunistic attackers.
Organizations heavily reliant on the Cortex XDR agent for endpoint detection and response are particularly at risk. Environments with weak local administrator account controls or a history of insider threats are also more vulnerable. Shared hosting environments where multiple users have administrative privileges could experience broader impact.
• windows / supply-chain:
Get-Service -Name "CortexXDRAgent" | Select-Object Status• windows / supply-chain:
Get-ScheduledTask | Where-Object {$_.TaskName -like "CortexXDR*"}• windows / supply-chain:
Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-SecurityEventLog']] and EventID=4688 and Data[@Name='TargetUserName']='SYSTEM']" -MaxEvents 10disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 4%)
CISA SSVC
The primary mitigation for CVE-2026-0232 is to upgrade the Cortex XDR agent to version 9.0.1 or later. Prior to upgrading, it's crucial to assess the potential impact on existing workflows and integrations, as upgrades can sometimes introduce compatibility issues. If an immediate upgrade is not feasible, consider implementing stricter access controls for local administrator accounts to limit the potential for malicious exploitation. While a WAF or proxy cannot directly mitigate this vulnerability, ensuring robust network segmentation can limit lateral movement if a system is compromised. After upgrading, confirm the agent is running correctly and actively monitoring for threats by reviewing the agent's status and logs.
Actualice el agente Cortex XDR a la versión 5.10.14 o posterior, 8.9.1 o posterior, 8.7.101-CE o posterior, 8.3-CE-CU-2120 o posterior, o 9.0.1 o posterior para mitigar la vulnerabilidad. Esto evitará que administradores locales deshabiliten el agente y comprometan la detección de amenazas.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
C'est une vulnérabilité permettant à un administrateur Windows de désactiver l'agent Cortex XDR, facilitant l'évasion des logiciels malveillants.
Si vous utilisez Cortex XDR Agent pour Windows en version 8.3 à 9.0.1, vous êtes potentiellement affecté.
Mettez à jour votre agent Cortex XDR vers la version 9.0.1 ou supérieure pour corriger cette vulnérabilité.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.