Exploitation for Priv-Esc × Palo Alto Networks Cortex XDR Broker VM

A publicly-reported instance of Exploitation for Priv-Esc bypassing Palo Alto Networks Cortex XDR Broker VM, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR Broker VM

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Low

Status

poc

Disclosed

2025-05-14

Config / version noted

Yes

Provenance

security.paloaltonetworks.com
disclosed 2025-05-14 · original source · via exa
www.redpacketsecurity.com
disclosed 2025-05-14 · original source · via exa
radar.offseq.com
disclosed 2025-05-14 · original source · via exa

Reported as

A code injection vulnerability in Palo Alto Networks Cortex XDR Broker VM allows an authenticated user to execute arbitrary code with root privileges on the host OS.

Mechanism

Authenticated user can inject code into the Broker VM, leading to arbitrary code execution with root privileges on the host operating system. This defeats the isolation of the Broker VM component.

Detection & mitigation

Monitor Cortex XDR Broker VM logs for unexpected process creation or command execution, especially from authenticated but non-administrative users. Apply vendor patch (version 26.0.119 or later) immediately to remediate the vulnerability.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.