Palo Alto Networks Security Advisories / PAN-SA-2022-0002

PAN-SA-2022-0002 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator



The Palo Alto Networks Product Security Assurance team is aware of a technique that can enable a local administrator to tamper with the Windows registry to disable the Cortex XDR agent on devices running a Windows operating system.

As a result, critical Windows system services would not be available and normal usage of the device would be disrupted. Please note, the device must be rebooted for this to take effect.

This issue does not have a net security impact on the confidentiality, integrity, or availability of the system. The local Windows administrator is able to disrupt normal usage of the device without this technique.

Product Status

Cortex XDR Agent all on Windowsall on Linux and macOS

Exploitation Status

While details of this issue are publicly available, Palo Alto Networks is not aware of any malicious exploitation of this issue.


This tampering is prevented with Cortex XDR agent content update 480 and later content updates.

Workarounds and Mitigations

There is no known workaround available for this issue.


This issue was found by mr.d0x, an external security researcher.


Update to advisory language
A Cortex XDR agent content update is available to address this issue.
Clarification on the impact of this issue and new ETA for the content update.
Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.