Cortex XDR Microsoft 365 Defender Pack: Cleartext Exposure of Credentials
Low Risk2.4CVE-2025-4234Sep 10, 2025
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
Cortex XDR Microsoft 365 Defender Pack versions below 4.6.5 on Windows expose user credentials in plaintext within application logs. These logs are viewable by local users and included in troubleshooting log exports, potentially exposing credentials to anyone who receives or accesses those logs.
What this means
What could happen
User credentials for Microsoft 365 Defender could be exposed in plaintext within application logs that are visible to local users and shared for troubleshooting, potentially giving an attacker access to the defender integration.
Who's at risk
Organizations running Cortex XDR Microsoft 365 Defender Pack on Windows endpoints should be concerned. This primarily affects IT security teams and SOC operators who rely on Cortex XDR for threat detection and response across their Microsoft 365 environments.
How it could be exploited
An attacker with local access to the machine running Cortex XDR, or who gains access to logs shared for troubleshooting, can retrieve plaintext credentials from the application logs and use them to compromise the Microsoft 365 Defender integration.
Prerequisites
- Local access to the Cortex XDR host system or access to application logs collected for troubleshooting
- Cortex XDR version below 4.6.5 on Windows
Plaintext credential exposureAffects endpoint security toolsLow CVSS (local access required)
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (1)
ProductAffected VersionsFix Status
Cortex XDR Microsoft 365 Defender PackBelow 4.6.5 on Windows4.6.5 on Windows+
Remediation & Mitigation
0/3
Do now
0/2HARDENINGRestrict access to Cortex XDR application logs and troubleshooting outputs to authorized personnel only
HARDENINGReview and rotate Microsoft 365 Defender credentials if logs have been shared externally or accessed by untrusted parties
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Cortex XDR Microsoft 365 Defender Pack to version 4.6.5 or later on Windows systems
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b6a87c31-e019-4922-8a67-2b5d7fa40ef7Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.