Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Cortex XDR Vulnerability Enables Covert Command Channels

Cortex XDR Vulnerability Enables Covert Command Channels

Posted on February 25, 2026 By CWS

A recent study has uncovered a significant vulnerability in Palo Alto Networks’ Cortex XDR Live Terminal feature, which can be exploited to create command-and-control (C2) channels. This feature, embedded within a trusted endpoint detection and response (EDR) agent, typically evades detection by enterprise security systems, presenting a stealthy opportunity for attackers.

Understanding Cortex XDR’s Vulnerability

The Live Terminal function is a legitimate remote management tool, enabling security personnel to execute commands, run scripts, and manage processes remotely. Communication occurs through WebSocket connections to Palo Alto’s cloud infrastructure. Notably, the protocol lacks command signing, allowing attackers to intercept and reroute communications to a server they control without verification.

InfoGuard Labs discovered that the cortex-xdr-payload.exe, a client-side component, is trusted by the EDR engine. This allows any executed commands to bypass standard detection mechanisms. The research highlights two exploitation methods: a cross-tenant attack using an attacker’s Cortex tenant and a method involving a custom server mimicking WebSocket communication.

Exploitation Techniques

In the cross-tenant scenario, attackers generate a valid session token from their own Cortex tenant, which they then use to redirect the victim’s endpoint to their server. Alternatively, attackers can create a custom server that replicates the WebSocket communication protocol, enabling them to control endpoints with minimal development effort.

This vulnerability poses a severe risk to enterprises using Cortex XDR. Once attackers gain access, they can maintain control over compromised systems clandestinely. The network traffic produced mimics regular Cortex agent activity, often escaping TLS inspection, allowing attackers to move laterally and gather data undetected.

Technical Details and Recommendations

When launching a Live Terminal session, a WebSocket message from Palo Alto’s cloud instructs the agent to execute cortex-xdr-payload.exe with specific parameters. Upon decompiling this executable, researchers identified a flaw in how server addresses are validated, allowing malicious URLs to bypass security checks.

The cross-tenant attack involves intercepting session tokens before the victim’s system connects to the attacker’s tenant, granting full access via the official interface. The legitimate parent process for cortex-xdr-payload.exe is cyserver.exe, and any deviation should raise alarms.

Palo Alto Networks was informed of these issues in September 2025, with versions 8.7 to 8.9 reportedly including fixes. However, tests in February 2026 revealed the vulnerabilities persist. Security teams are advised to monitor process creation events and flag anomalies. Implementing mutual authentication and command signing within the protocol is crucial for prevention.

For continuous updates on this and other cybersecurity news, follow us on Google News, LinkedIn, and X, and set CSN as a preferred source on Google.

Cyber Security News Tags:attack vectors, command-and-control, Cortex XDR, Cybersecurity, EDR agent, endpoint security, enterprise security, InfoGuard Labs, living-off-the-land, network traffic, Palo Alto Networks, security protocols, threat analysis, Vulnerability, WebSocket

Post navigation

Previous Post: Cybercriminals Exploit Fake Avast Site for Credit Card Data
Next Post: SURXRAT Android Malware Threatens Global Device Security

Related Posts

Evolution of DDoS Attacks Mitigation Strategies for 2025 Evolution of DDoS Attacks Mitigation Strategies for 2025 Cyber Security News
Rundll32 and WebDAV: New ClickFix Variant Evades Detection Rundll32 and WebDAV: New ClickFix Variant Evades Detection Cyber Security News
Agentjacking Exploits AI Tools to Execute Malicious Code Agentjacking Exploits AI Tools to Execute Malicious Code Cyber Security News
Critical Salesforce Tableau Vulnerabilities Let Attackers Execute Code Remotely Critical Salesforce Tableau Vulnerabilities Let Attackers Execute Code Remotely Cyber Security News
Critical AVEVA Software Vulnerabilities Enables Remote Code Execution Under System Privileges Critical AVEVA Software Vulnerabilities Enables Remote Code Execution Under System Privileges Cyber Security News
Deep Dive into Endpoint Security Deep Dive into Endpoint Security Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • SpaceX X Accounts Hacked to Promote Crypto Scam
  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • SpaceX X Accounts Hacked to Promote Crypto Scam
  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark