Palo Alto Networks Security Advisories / PAN-SA-2022-0005

PAN-SA-2022-0005 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator



The Palo Alto Networks Product Security Assurance team is aware of a method that can enable a local administrator to tamper with the Windows registry to disable the Cortex XDR agent on devices running a Windows operating system.

As a result of this method, critical Windows system services would not be available and normal usage of the device would be disrupted. Please note, the device must be rebooted for this to take effect.

This issue is not a new security impact on the confidentiality, integrity, or availability of the system because a local Windows administrator has the ability to disrupt normal usage of the device without employing this method.

Product Status

Cortex XDR Agent All agents with a content update earlier than CU-630 on WindowsAll agents with CU-630 or a later content update

Required Configuration for Exposure

This method is applicable only to Cortex XDR agent deployments on Windows that use an allow list to exclude some local file system resources from analysis.

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.


This method is prevented by Cortex XDR agents on Windows with content update 630 and later content update versions.


Palo Alto Networks thanks Milad Fadavvi of Zalando for discovering and reporting this issue.


Initial publication
© 2022 Palo Alto Networks, Inc. All rights reserved.