Disable or Modify Tools × Palo Alto Networks Cortex XDR Agent

CVE-2024-9469 allows a low-privileged user to disable the agent by manipulating CPU usage checks

CVE-2024-5907: The Cortex XDR agent's support file generation creates a predictable temporary folder in C:\Windows\Temp with weak ACLs. By placing a junction (NTFS soft link) in that folder pointing to a target directory, an attacker can force the SYSTEM-level cyserver.exe process to delete arbitrary files/folders during cleanup. Combined with a Windows Installer race condition, this can lead to privilege escalation. CVE-2024-9469: The agent's Adaptive Policy module monitors CPU usage to auto-disable protection under high load. A low-privileged user can artificially inflate CPU usage of the agent's processes, triggering the auto-disable mechanism and turning off all protections.

Monitor for unexpected termination or suspension of Cortex XDR agent processes (e.g., cyserver.exe) and changes to agent configuration or protection status via Windows Event Logs (Security/System) and EDR telemetry. Mitigate by applying vendor patches, restricting local administrative privileges, and hardening file system permissions on temporary folders used by the agent.