A significant vulnerability has been discovered in Palo Alto Networks’ Cortex XDR Live Terminal feature, allowing attackers to establish covert command-and-control (C2) communications. This exploitation method is particularly concerning as it leverages a legitimate and trusted component of an endpoint detection and response (EDR) agent, making the malicious traffic difficult for enterprise security tools to identify. The research, conducted by InfoGuard Labs, highlights how attackers can abuse the Live Terminal feature for persistent and stealthy control over compromised endpoints.
The Cortex XDR Live Terminal is designed to empower security teams with remote access capabilities, enabling them to execute commands, manage files, and monitor processes directly from a central console. However, researchers found that a flaw in the underlying protocol lacks command signing, meaning there’s no verification to ensure that instructions originate from an authorized administrator. This oversight allows an attacker who intercepts an initial communication to redirect the endpoint’s connection to a server they control, effectively hijacking the trusted channel.
How Attackers Exploit the Cortex XDR Live Terminal Feature
InfoGuard Labs researchers detailed two primary methods by which attackers can exploit the Cortex XDR Live Terminal. The first involves a “cross-tenant attack,” where an attacker uses their own Cortex tenant to generate a valid session token and then reroutes the victim’s endpoint to connect back to this attacker-controlled tenant. This grants the attacker direct access through what appears to be a legitimate session.
The second method involves creating a custom server that mimics the WebSocket communication protocol used by the Live Terminal. The researchers noted that this requires minimal development effort, as they were able to reconstruct the protocol based on captured traffic. The core of the exploitation lies in a logic flaw within the `cortex-xdr-payload.exe` client-side component. This executable, being part of a trusted EDR agent, can execute commands that bypass traditional detection and prevention mechanisms, embodying a potent “Living off the Land” technique.
A critical vulnerability was identified in how the Live Terminal’s server address is validated. Specifically, the `run_lrc_payload` function checks if the server value ends with `.paloaltonetworks.com`. However, this check is performed on the entire URL string, not just the hostname. This allows for a malicious URL like `attacker.com/test.paloaltonetworks.com` to pass the validation and establish a connection to an attacker-controlled server. This bypass undermines the intended security checks.
Once an attacker gains initial access to an endpoint, they can leverage these vulnerabilities to establish a persistent and hidden command channel. The network traffic generated by this abuse blends seamlessly with legitimate Cortex agent communications. Furthermore, this traffic is often excluded from TLS inspection, enabling attackers to issue commands, move laterally within the network, and exfiltrate data with a minimal digital footprint, making detection exceptionally challenging.
The legitimate parent process for `cortex-xdr-payload.exe` is `cyserver.exe`. Security teams are advised to treat any instance where this executable is launched by a different parent process as highly suspicious. This deviation from the established process hierarchy can serve as a critical indicator of compromise.
Palo Alto Networks Response and Mitigation Strategies
Palo Alto Networks was reportedly notified of these findings on September 30, 2025. The company subsequently stated that versions 8.7 through 8.9 of Cortex XDR contained a fix for this issue. However, subsequent testing conducted on February 23, 2026, using version 8.9.1 with the latest content updates, indicated that the exploitation and host bypass vulnerabilities were still fully functional, suggesting the implemented fix may not have been completely effective.
To mitigate this risk, security teams should actively monitor for process creation events and flag any occurrences of `cortex-xdr-payload.exe` being launched by a parent process other than `cyserver.exe`. This proactive monitoring can help detect potential abuse of the Live Terminal feature.
Moving forward, a more robust solution is required. Palo Alto Networks should implement mutual authentication and cryptographic command signing within the Live Terminal protocol to ensure the integrity and authenticity of commands. Relying solely on detection-based approaches, such as parent process rules, is insufficient to prevent this type of sophisticated abuse. A secure-by-design redesign of the Live Terminal’s architecture at the protocol level is necessary to eliminate the possibility of such exploitation in the future.