{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-0232","assignerOrgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","state":"PUBLISHED","assignerShortName":"palo_alto","dateReserved":"2025-11-03T20:43:53.493Z","datePublished":"2026-04-13T07:22:48.325Z","dateUpdated":"2026-04-13T13:27:43.511Z"},"containers":{"cna":{"providerMetadata":{"orgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","shortName":"palo_alto","dateUpdated":"2026-04-13T07:22:48.325Z"},"title":"Cortex XDR Agent: Local Administrator can disable the agent on Windows","datePublic":"2026-04-08T16:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-15","description":"CWE-15: External Control of System or Configuration Setting","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-578","descriptions":[{"lang":"en","value":"CAPEC-578 Disable Security Software"}]}],"affected":[{"vendor":"Palo Alto Networks","product":"Cortex XDR Agent","versions":[{"status":"unaffected","version":"9.1.0","lessThan":"5.10.14","changes":[{"at":"5.10.14","status":"unaffected"}],"versionType":"custom"},{"status":"unaffected","version":"9.0","versionType":"custom"},{"status":"unaffected","version":"8.9","versionType":"custom"},{"status":"unaffected","version":"8.7-CE","versionType":"custom"}],"defaultStatus":"unaffected"},{"vendor":"Palo Alto Networks","product":"Cortex XDR Agent","versions":[{"status":"affected","version":"9.0","lessThan":"9.0.1","changes":[{"at":"9.0.1","status":"unaffected"}],"versionType":"custom"},{"status":"affected","version":"8.9","lessThan":"8.9.1","changes":[{"at":"8.9.1","status":"unaffected"}],"versionType":"custom"},{"status":"affected","version":"8.7-CE","lessThan":"8.7.101-CE","changes":[{"at":"8.7.101-CE","status":"unaffected"}],"versionType":"custom"},{"status":"affected","version":"8.3-CE","lessThan":"8.3-CE-CU-2120","changes":[{"at":"8.3-CE","status":"unaffected"}],"versionType":"custom"},{"status":"affected","version":"7.9-CE","lessThan":"7.9-CE-CU-2120","changes":[{"at":"7.9-CE","status":"unaffected"}],"versionType":"custom"}],"defaultStatus":"unaffected","platforms":["Windows"],"cpes":["cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:9.0.0:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.9.0:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:8.7-CE:*:*:*:*:Windows:*:*"]}],"cpeApplicability":[{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.0.1"},{"vulnerable":true,"criteria":"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*","versionStartIncluding":"8.9.0","versionEndExcluding":"8.9.1"},{"vulnerable":true,"criteria":"cpe:2.3:a:palo_alto_networks:cortex_xdr_agent:*:*:*:*:*:Windows:*:*","versionStartIncluding":"8.7.101","versionEndExcluding":"8.7.101-ce"}]}]}],"descriptions":[{"lang":"en","value":"A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection.","supportingMedia":[{"type":"text/html","base64":false,"value":"A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent.&nbsp;This issue may be leveraged by malware to perform malicious activity without detection."}]}],"references":[{"url":"https://security.paloaltonetworks.com/CVE-2026-0232","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"USER","valueDensity":"DIFFUSE","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"AMBER","version":"4.0","baseSeverity":"MEDIUM","baseScore":4,"vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber"}}],"workarounds":[{"lang":"eng","value":"No known workarounds exist for this issue.","supportingMedia":[{"type":"text/html","base64":false,"value":"No known workarounds exist for this issue."}]}],"solutions":[{"lang":"eng","value":"To fully remediate this vulnerability, customers must ensure their Content Update is at version 2120 or higher. This update provides the necessary protection across all supported versions of Cortex XDR.\n\nWhile the Content Update provides the primary fix, the following software releases include complementary architectural enhancements to further harden the environment:\n\n * Cortex XDR 9.1.0 (or later)\n * Cortex XDR 9.0.1 (or later)\n * Cortex XDR 8.9.1 (or later)\n * Cortex XDR 8.7.101-CE (or later)\n\nNote for 8.3-CE and 7.9-CE: These versions are fully protected by applying Content Update 2120. No additional software upgrade is required for these versions to mitigate this specific vulnerability.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>To fully remediate this vulnerability, customers must ensure their Content Update is at version 2120 or higher. This update provides the necessary protection across all supported versions of Cortex XDR.</p><p>While the Content Update provides the primary fix, the following software releases include complementary architectural enhancements to further harden the environment:</p><ul><li>Cortex XDR 9.1.0 (or later)</li><li>Cortex XDR 9.0.1 (or later)</li><li>Cortex XDR 8.9.1 (or later)</li><li>Cortex XDR 8.7.101-CE (or later)</li></ul>Note for 8.3-CE and 7.9-CE: These versions are fully protected by applying Content Update 2120. No additional software upgrade is required for these versions to mitigate this specific vulnerability."}]}],"exploits":[{"lang":"en","value":"Palo Alto Networks is not aware of any malicious exploitation of this issue.","supportingMedia":[{"type":"text/html","base64":false,"value":"Palo Alto Networks is not aware of any malicious exploitation of this issue."}]}],"timeline":[{"time":"2026-04-08T16:00:00.000Z","lang":"en","value":"Initial publication."}],"credits":[{"lang":"en","value":"WhatThe0xDoin","type":"finder"}],"source":{"discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram 0.1.0-dev"},"x_affectedList":["Cortex XDR Agent 9.0.0","Cortex XDR Agent 8.9.0","Cortex XDR Agent 8.7-CE"]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-13T13:14:26.660757Z","id":"CVE-2026-0232","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-13T13:27:43.511Z"}}]}}