CVE-2025-0121: 
Cortex XDR vulnerability analysis and mitigation

A null pointer dereference vulnerability (CVE-2025-0121) was discovered in the Palo Alto Networks Cortex® XDR agent on Windows devices. The vulnerability was disclosed on April 9, 2025, affecting multiple versions of the Cortex XDR Agent including versions 8.7, 8.6, 8.5, 8.3-CE, and 7.9-CE on Windows systems (Palo Alto Advisory).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) with a CVSS Base Score of 4.3 (MEDIUM). The CVSS v4.0 vector string is CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Amber. The vulnerability requires low privileges and no user interaction for exploitation (Palo Alto Advisory).

When exploited, this vulnerability allows a low-privileged local Windows user to crash the Cortex XDR agent. More significantly, malware can leverage this vulnerability to perform malicious activities without being detected by Cortex XDR, as the agent would be disabled (Palo Alto Advisory).

The vulnerability has been fixed in multiple versions: Cortex XDR Agent 8.6.1, Cortex XDR Agent 8.5.2, Cortex XDR Agent 8.3.101-CE HF, Cortex XDR Agent 7.9.103-CE HF, and all later versions. There are no known workarounds for this issue, making it critical for affected users to update to the patched versions (Palo Alto Advisory).