Cortex XDR Broker VM: Secrets Shared Across Multiple Broker VM Images
Plan Patch7.6CVE-2025-2184Aug 13, 2025
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
A credential management flaw in Cortex XDR Broker VM causes different Broker VM images to share identical default credentials for internal services. An attacker with network access to the Broker VM could use these default credentials to access internal services on other Broker VM installations.
What this means
What could happen
An attacker could use shared default credentials to access internal services across multiple Broker VM instances, potentially allowing them to view or modify security monitoring configurations or exfiltrate log data from your network monitoring infrastructure.
Who's at risk
Security teams and IT administrators responsible for Palo Alto Networks Cortex XDR Broker VM deployments used for centralized threat detection and response across enterprise networks. Any organization running multiple Broker VM instances is at higher risk, as a single credential compromise could grant access to all instances.
How it could be exploited
An attacker with network access to a Cortex XDR Broker VM could discover or obtain the default credentials shared across all Broker VM images. These credentials could then be used to authenticate to internal services on any other Broker VM installation on the network, bypassing authentication controls.
Prerequisites
- Network access to the Broker VM on the ports hosting internal services
- Knowledge of the default credentials (either from documentation, prior exposure, or the shared credential flaw itself)
remotely exploitabledefault credentialsaffects security infrastructure
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (1)
ProductAffected VersionsFix Status
Cortex XDR Broker VMBelow 28.0.5228.0.52+
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDChange all default credentials for internal services on each Broker VM instance to strong, unique values
HARDENINGRestrict network access to internal service ports on Broker VMs using firewall rules; only allow access from authorized management workstations and networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate Cortex XDR Broker VM to version 28.0.52 or later
HARDENINGEnable logging and monitoring of authentication attempts to internal Broker VM services to detect suspicious access patterns
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cbb0c3bd-9082-4b2e-a1a3-7fb20d6ec0a1Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.