CVE-2025-0112 Cortex XDR Agent: Local Windows User Can Disable the Agent
Description
A problem with a detection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices enables a user with Windows non-administrative privileges to disable the agent. This vulnerability can also be leveraged by malware to disable the Cortex XDR agent and then perform malicious activity.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cortex XDR Agent 8.6 | None on Windows | All on Windows |
| Cortex XDR Agent 8.5 | < 8.5.1 on Windows | >= 8.5.1 on Windows |
| Cortex XDR Agent 8.4 | All on Windows * | None on Windows * |
| Cortex XDR Agent 8.3-CE | < 8.3.101-CE on Windows | >= 8.3.101-CE on Windows |
* Cortex XDR agent 8.4 reached its End-of-Life (EoL) date on February 5, 2025; no additional updates or security fixes are planned.
Required Configuration for Exposure
No special configuration is required to be affected by this issue.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 4.3 / CVSS-B: 6.8 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-754 Improper Check for Unusual or Exceptional Conditions
CAPEC-578 Disable Security Software
Solution
This issue is fixed in Cortex XDR agent 8.3.101-CE, Cortex XDR agent 8.5.1, Cortex XDR agent 8.6 and all later Cortex XDR agent versions.
Workarounds and Mitigations
There are no known workarounds or mitigations for this issue.
Acknowledgments
CPEs
cpe:2.3:a:paloaltonetworks:cortex_xdr_agent:8.3:CE:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:cortex_xdr_agent:8.4.*:*:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:cortex_xdr_agent:8.5.0:*:*:*:*:*:*:*