CVE-2026-0232 PUBLISHED

Cortex XDR Agent: Local Administrator can disable the agent on Windows

Assigner: palo_alto
Reserved: 03.11.2025 Published: 13.04.2026 Updated: 13.04.2026

A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber
CVSS Score: 4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	Palo Alto Networks
Product	Cortex XDR Agent
Versions	Default: unaffected unaffected from 9.1.0 to 5.10.14 (excl.) Version 9.0 is unaffected Version 8.9 is unaffected Version 8.7-CE is unaffected

Vendor	Palo Alto Networks
Product	Cortex XDR Agent
Versions	Default: unaffected affected from 9.0 to 9.0.1 (excl.) affected from 8.9 to 8.9.1 (excl.) affected from 8.7-CE to 8.7.101-CE (excl.) affected from 8.3-CE to 8.3-CE-CU-2120 (excl.) affected from 7.9-CE to 7.9-CE-CU-2120 (excl.)

Exploits

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Credits

WhatThe0xDoin finder

References

https://security.paloaltonetworks.com/CVE-2026-0232

Problem Types

CWE-15: External Control of System or Configuration Setting CWE

Impacts

CAPEC-578 Disable Security Software