OTPulse

Cortex XDR Agent: Local Administrator can disable the agent on Windows

MonitorCVSS 6.7CVE-2026-0232Apr 8, 2026
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary

A protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows can be disabled by a local Windows administrator. This vulnerability allows malware or an attacker with local admin access to remove endpoint detection and response monitoring, preventing detection of subsequent malicious activity on the system.

What this means
What could happen
A local Windows administrator could disable the Cortex XDR agent, removing endpoint detection and response capabilities from the system. This would allow malware to run and execute malicious activity without security monitoring or alerts.
Who's at risk
This affects any organization running Cortex XDR Agent on Windows systems, particularly those with sensitive OT/ICS networks or critical infrastructure where endpoint detection is essential for detecting unauthorized access or malware compromise.
How it could be exploited
An attacker with local administrative access to a Windows system (either through compromised credentials, malware already running with admin privileges, or lateral movement from another compromised system) can disable the Cortex XDR agent using local Windows administrative commands or tools, bypassing the protection mechanism that normally prevents this action.
Prerequisites
  • Local Windows administrator credentials or local administrative privilege level on the target system
no patch availablerequires local administrator privilegedisables security monitoring
Affected products (2)
2 pending
ProductAffected VersionsFix Status
Cortex XDR AgentNone on WindowsNo fix yet
Cortex XDR AgentBelow 9.0.1 without CU-2120 on WindowsNo fix yet
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Cortex XDR Agent
HOTFIXUpdate Cortex XDR Agent to version 9.0.1 with CU-2120 or later on Windows systems
HARDENINGConfigure Windows Group Policy to prevent termination of the Cortex XDR agent process if available in your version
Long-term hardening
0/2
HARDENINGRestrict local administrator account privileges to only users who require them for legitimate administrative duties
HARDENINGImplement privileged account management controls to monitor and log all use of local administrator accounts
View full vendor advisory
API: /api/v1/advisories/84992eee-ae3e-414f-8e23-839764f5cc70

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Cortex XDR Agent: Local Administrator can disable the agent on Windows | CVSS 6.7 - OTPulse