CVE-2026-0232 (GCVE-0-2026-0232)
Vulnerability from cvelistv5
Published
2026-04-13 07:22
Modified
2026-04-13 13:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-15 - External Control of System or Configuration Setting
Summary
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Palo Alto Networks | Cortex XDR Agent |
Patch: 9.1.0 < 5.10.14 Patch: 9.0 Patch: 8.9 Patch: 8.7-CE |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0232",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T13:14:26.660757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:27:43.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cortex XDR Agent",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "5.10.14",
"status": "unaffected"
}
],
"lessThan": "5.10.14",
"status": "unaffected",
"version": "9.1.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "9.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "8.9",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "8.7-CE",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:9.0.0:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.9.0:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.7-CE:*:*:*:*:Windows:*:*"
],
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Cortex XDR Agent",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "9.0.1",
"status": "unaffected"
}
],
"lessThan": "9.0.1",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "8.9.1",
"status": "unaffected"
}
],
"lessThan": "8.9.1",
"status": "affected",
"version": "8.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "8.7.101-CE",
"status": "unaffected"
}
],
"lessThan": "8.7.101-CE",
"status": "affected",
"version": "8.7-CE",
"versionType": "custom"
},
{
"changes": [
{
"at": "8.3-CE",
"status": "unaffected"
}
],
"lessThan": "8.3-CE-CU-2120",
"status": "affected",
"version": "8.3-CE",
"versionType": "custom"
},
{
"changes": [
{
"at": "7.9-CE",
"status": "unaffected"
}
],
"lessThan": "7.9-CE-CU-2120",
"status": "affected",
"version": "7.9-CE",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*",
"versionEndExcluding": "9.0.1",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*",
"versionEndExcluding": "8.9.1",
"versionStartIncluding": "8.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*",
"versionEndExcluding": "8.7.101-ce",
"versionStartIncluding": "8.7.101",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "WhatThe0xDoin"
}
],
"datePublic": "2026-04-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent.\u0026nbsp;This issue may be leveraged by malware to perform malicious activity without detection."
}
],
"value": "A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent.\u00a0This issue may be leveraged by malware to perform malicious activity without detection."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-578",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-578 Disable Security Software"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "HIGH",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-15",
"description": "CWE-15: External Control of System or Configuration Setting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T07:22:48.325Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2026-0232"
}
],
"solutions": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTo fully remediate this vulnerability, customers must ensure their Content Update is at version 2120 or higher. This update provides the necessary protection across all supported versions of Cortex XDR.\u003c/p\u003e\u003cp\u003eWhile the Content Update provides the primary fix, the following software releases include complementary architectural enhancements to further harden the environment:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCortex XDR 9.1.0 (or later)\u003c/li\u003e\u003cli\u003eCortex XDR 9.0.1 (or later)\u003c/li\u003e\u003cli\u003eCortex XDR 8.9.1 (or later)\u003c/li\u003e\u003cli\u003eCortex XDR 8.7.101-CE (or later)\u003c/li\u003e\u003c/ul\u003eNote for 8.3-CE and 7.9-CE: These versions are fully protected by applying Content Update 2120. No additional software upgrade is required for these versions to mitigate this specific vulnerability."
}
],
"value": "To fully remediate this vulnerability, customers must ensure their Content Update is at version 2120 or higher. This update provides the necessary protection across all supported versions of Cortex XDR.\n\nWhile the Content Update provides the primary fix, the following software releases include complementary architectural enhancements to further harden the environment:\n\n * Cortex XDR 9.1.0 (or later)\n * Cortex XDR 9.0.1 (or later)\n * Cortex XDR 8.9.1 (or later)\n * Cortex XDR 8.7.101-CE (or later)\n\nNote for 8.3-CE and 7.9-CE: These versions are fully protected by applying Content Update 2120. No additional software upgrade is required for these versions to mitigate this specific vulnerability."
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-08T16:00:00.000Z",
"value": "Initial publication."
}
],
"title": "Cortex XDR Agent: Local Administrator can disable the agent on Windows",
"workarounds": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No known workarounds exist for this issue."
}
],
"value": "No known workarounds exist for this issue."
}
],
"x_affectedList": [
"Cortex XDR Agent 9.0.0",
"Cortex XDR Agent 8.9.0",
"Cortex XDR Agent 8.7-CE"
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2026-0232",
"datePublished": "2026-04-13T07:22:48.325Z",
"dateReserved": "2025-11-03T20:43:53.493Z",
"dateUpdated": "2026-04-13T13:27:43.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-0232\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-13T13:14:26.660757Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-13T13:15:33.586Z\"}}], \"cna\": {\"title\": \"Cortex XDR Agent: Local Administrator can disable the agent on Windows\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"WhatThe0xDoin\"}], \"impacts\": [{\"capecId\": \"CAPEC-578\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-578 Disable Security Software\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"USER\", \"baseScore\": 4, \"Automatable\": \"YES\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"DIFFUSE\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber\", \"exploitMaturity\": \"UNREPORTED\", \"providerUrgency\": \"AMBER\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"MODERATE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Palo Alto Networks\", \"product\": \"Cortex XDR Agent\", \"versions\": [{\"status\": \"unaffected\", \"changes\": [{\"at\": \"5.10.14\", \"status\": \"unaffected\"}], \"version\": \"9.1.0\", \"lessThan\": \"5.10.14\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"9.0\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"8.9\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"8.7-CE\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:9.0.0:*:*:*:*:Windows:*:*\", \"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.9.0:*:*:*:*:Windows:*:*\", \"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.7-CE:*:*:*:*:Windows:*:*\"], \"vendor\": \"Palo Alto Networks\", \"product\": \"Cortex XDR Agent\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"9.0.1\", \"status\": \"unaffected\"}], \"version\": \"9.0\", \"lessThan\": \"9.0.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"8.9.1\", \"status\": \"unaffected\"}], \"version\": \"8.9\", \"lessThan\": \"8.9.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"8.7.101-CE\", \"status\": \"unaffected\"}], \"version\": \"8.7-CE\", \"lessThan\": \"8.7.101-CE\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"8.3-CE\", \"status\": \"unaffected\"}], \"version\": \"8.3-CE\", \"lessThan\": \"8.3-CE-CU-2120\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"7.9-CE\", \"status\": \"unaffected\"}], \"version\": \"7.9-CE\", \"lessThan\": \"7.9-CE-CU-2120\", \"versionType\": \"custom\"}], \"platforms\": [\"Windows\"], \"defaultStatus\": \"unaffected\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"Palo Alto Networks is not aware of any malicious exploitation of this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Palo Alto Networks is not aware of any malicious exploitation of this issue.\", \"base64\": false}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-04-08T16:00:00.000Z\", \"value\": \"Initial publication.\"}], \"solutions\": [{\"lang\": \"eng\", \"value\": \"To fully remediate this vulnerability, customers must ensure their Content Update is at version 2120 or higher. This update provides the necessary protection across all supported versions of Cortex XDR.\\n\\nWhile the Content Update provides the primary fix, the following software releases include complementary architectural enhancements to further harden the environment:\\n\\n * Cortex XDR 9.1.0 (or later)\\n * Cortex XDR 9.0.1 (or later)\\n * Cortex XDR 8.9.1 (or later)\\n * Cortex XDR 8.7.101-CE (or later)\\n\\nNote for 8.3-CE and 7.9-CE: These versions are fully protected by applying Content Update 2120. No additional software upgrade is required for these versions to mitigate this specific vulnerability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eTo fully remediate this vulnerability, customers must ensure their Content Update is at version 2120 or higher. This update provides the necessary protection across all supported versions of Cortex XDR.\u003c/p\u003e\u003cp\u003eWhile the Content Update provides the primary fix, the following software releases include complementary architectural enhancements to further harden the environment:\u003c/p\u003e\u003cul\u003e\u003cli\u003eCortex XDR 9.1.0 (or later)\u003c/li\u003e\u003cli\u003eCortex XDR 9.0.1 (or later)\u003c/li\u003e\u003cli\u003eCortex XDR 8.9.1 (or later)\u003c/li\u003e\u003cli\u003eCortex XDR 8.7.101-CE (or later)\u003c/li\u003e\u003c/ul\u003eNote for 8.3-CE and 7.9-CE: These versions are fully protected by applying Content Update 2120. No additional software upgrade is required for these versions to mitigate this specific vulnerability.\", \"base64\": false}]}], \"datePublic\": \"2026-04-08T16:00:00.000Z\", \"references\": [{\"url\": \"https://security.paloaltonetworks.com/CVE-2026-0232\", \"tags\": [\"vendor-advisory\"]}], \"workarounds\": [{\"lang\": \"eng\", \"value\": \"No known workarounds exist for this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"No known workarounds exist for this issue.\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent.\\u00a0This issue may be leveraged by malware to perform malicious activity without detection.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent.\u0026nbsp;This issue may be leveraged by malware to perform malicious activity without detection.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-15\", \"description\": \"CWE-15: External Control of System or Configuration Setting\"}]}], \"x_affectedList\": [\"Cortex XDR Agent 9.0.0\", \"Cortex XDR Agent 8.9.0\", \"Cortex XDR Agent 8.7-CE\"], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"9.0.1\", \"versionStartIncluding\": \"9.0.0\"}, {\"criteria\": \"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"8.9.1\", \"versionStartIncluding\": \"8.9.0\"}, {\"criteria\": \"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"8.7.101-ce\", \"versionStartIncluding\": \"8.7.101\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"d6c1279f-00f6-4ef7-9217-f89ffe703ec0\", \"shortName\": \"palo_alto\", \"dateUpdated\": \"2026-04-13T07:22:48.325Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-0232\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-13T13:27:43.511Z\", \"dateReserved\": \"2025-11-03T20:43:53.493Z\", \"assignerOrgId\": \"d6c1279f-00f6-4ef7-9217-f89ffe703ec0\", \"datePublished\": \"2026-04-13T07:22:48.325Z\", \"assignerShortName\": \"palo_alto\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…