Security Experts:

Connect with us

Hi, what are you looking for?



Several Vulnerabilities Allow Disabling of Palo Alto Networks Products

Cybersecurity firm Palo Alto Networks has informed customers about several vulnerabilities that could allow a malicious actor to disable its products.

Cybersecurity firm Palo Alto Networks has informed customers about several vulnerabilities that could allow a malicious actor to disable its products.

A security researcher who uses the online moniker “mr.d0x” informed the company that its Cortex XDR Agent can be bypassed by an attacker with elevated privileges.

The researcher discovered that the agent can be disabled by a local attacker with administrator privileges simply by modifying a registry key, leaving the endpoint exposed to attacks. The product’s anti-tampering feature is unable to prevent the use of this method.

Mr.d0x also discovered that there is a default “uninstall password” that — if it hasn’t been changed by the admin — can also be used to disable the XDR agent.

If the default password has been changed, the new password’s hash can be obtained from a file. The attacker can then attempt to crack the password. It may also be possible for an attacker who does not have administrator privileges to obtain this hash.

Mr.d0x said he discovered these vulnerabilities in the summer of 2021, but he only now published a blog post detailing the findings to give the vendor enough time to take action. However, Palo Alto Networks is still working on patches and protections for these issues.

“It’s important for security solutions to implement adequate tamper protection to avoid being targeted by attackers,” Mr.d0x said. “Furthermore, it shouldn’t be trivial to obtain credentials or privileges that can disable the security solution.”

The cybersecurity company has also informed customers about a denial-of-service (DoS) vulnerability affecting the DNS proxy feature in its PAN-OS software. A man-in-the-middle (MitM) attacker can use specially crafted traffic to disrupt affected firewalls. Patches are available for all supported versions of PAN-OS.

An MitM attacker can also launch a DoS attack against PAN-OS, the GlobalProtect app, and the Cortex XDR agent by exploiting a recently patched OpenSSL vulnerability tracked as CVE-2022-0778.

Several cybersecurity vendors have been assessing the impact of this flaw on their products.

Palo Alto Networks says it’s not aware of any attacks exploiting these vulnerabilities. All of the flaws have a severity rating of “medium,” “low” or “informational.”

UPDATE: Palo Alto Networks has updated its advisory for the issue that involves Windows registry modifications to explain that the tampering will also result in critical system services becoming unavailable, which leads to normal usage being disrupted. The Cortex XDR agent is disabled and these system services become unavailable after the device has been rebooted.

*article also updated to note that a patch is available for the PAN-OS DoS vulnerability. The severity ratings are based on CVSS scores and not the vendor’s assessment of exploitability.

Related: Remote Code Execution Flaw in Palo Alto GlobalProtect VPN

Related: Palo Alto Networks Patches Flaws in Prisma Cloud Compute, Cortex XDR Agent

Related: US Cyber Command: Foreign APTs Likely to Exploit New Palo Alto Networks Flaw

Related: Palo Alto Networks Patches Critical Vulnerability in Cortex XSOAR

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet