CVE-2025-0112: 
Cortex XDR vulnerability analysis and mitigation

A problem with a detection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices enables a user with Windows non-administrative privileges to disable the agent. This vulnerability (CVE-2025-0112) was discovered internally by Eldar Aharoni of Palo Alto Networks and publicly disclosed on February 12, 2025. The vulnerability affects multiple versions of Cortex XDR Agent on Windows, including versions 8.3-CE, 8.4, 8.5, and 8.6 (Palo Alto).

The vulnerability has been assigned a CVSS Base Score of 4.3 (MEDIUM) with the following vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/U:Amber. The weakness is categorized as CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CAPEC-578 (Disable Security Software). The vulnerability requires local access and low privileges to exploit, with no user interaction needed (Palo Alto).

If exploited, this vulnerability allows non-administrative Windows users to disable the Cortex XDR agent. More critically, malware can leverage this vulnerability to disable the security agent and subsequently perform malicious activities without detection (Palo Alto).

The vulnerability has been fixed in Cortex XDR agent versions 8.3.101-CE, 8.5.1, 8.6, and all later versions. There are no known workarounds or alternative mitigations for this issue (Palo Alto).