Palo Alto Networks Security Advisories / PAN-SA-2022-0004

PAN-SA-2022-0004 Informational: Cortex XDR Agent: Allow List is Visible to Low Privileged Users



The Palo Alto Networks Product Security Assurance team is aware of a method that enables a low privileged user on a Windows device to determine which local file system resources are part of the Cortex XDR agent’s configured allow list. These files are not analyzed by the agent and knowledge of the allow list can aid an attacker in environments where the allow list is misconfigured to be overly permissive.

Knowledge of this information does not impact the behavioral threat protection, malware scanning, or other endpoint protection capabilities that detect security events and prevent attacks in areas of the local filesystem that are not part of the allow list.

Product Status

Cortex XDR Agent All agents with a content update earlier than CU-630 on WindowsAll agents with CU-630 or a later content update

Required Configuration for Exposure

This method is applicable only to Cortex XDR agent deployments that use an allow list to exclude some local file system resources from analysis.

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue. However, details of this method are expected to become publicly available.


This method is detected by Cortex XDR agents on Windows with content update 630 and later content update versions.


Palo Alto Networks thanks Diego García of INCIDE for discovering and reporting this issue.


Initial publication
© 2023 Palo Alto Networks, Inc. All rights reserved.