A newly disclosed research finding has revealed that Palo Alto Networks’ Cortex XDR Live Terminal feature can be turned into a command-and-control (C2) channel by attackers.
Since this feature runs inside a trusted endpoint detection and response (EDR) agent, the traffic it produces is largely accepted by enterprise security tools, making this a quiet and difficult-to-detect abuse method.
Cortex XDR’s Live Terminal is a legitimate remote management feature that allows security teams to execute commands, run PowerShell and Python scripts, browse files, and manage processes on endpoints from a central console.
The feature communicates through WebSocket connections to Palo Alto’s cloud infrastructure.
Researchers found that the protocol underlying this feature has no command signing, meaning there is no check to verify that instructions actually come from a legitimate administrator.
Any attacker who intercepts the initial WebSocket message can redirect the endpoint’s connection to a server they control.
InfoGuard Labs researchers identified that because cortex-xdr-payload.exe — the client-side component of Live Terminal — is already trusted by the EDR engine, commands executed through this channel can bypass traditional detection and prevention rules.
This makes it a strong “Living off the Land” technique, where attackers use tools that are already on the system instead of dropping new malware. The research outlines two methods by which this feature can be abused.
In the first method, a cross-tenant attack, the attacker uses their own Cortex tenant to generate a valid session token, then redirects the victim’s endpoint to connect back to the attacker-controlled tenant.
The second method involves creating a custom server that replicates the WebSocket communication protocol, which requires very little development work based on the captured traffic.
The impact is serious for any enterprise running Cortex XDR. Once an attacker gains initial access, they can use this technique to maintain persistent and hidden control over compromised endpoints without dropping any extra tools.
Network traffic produced by this technique blends in with normal Cortex agent traffic and is often excluded from TLS inspection, letting attackers issue commands, move laterally, and collect files with very little noise.
How Attackers Exploit the Feature
When a Live Terminal session is started, a WebSocket message is sent from Palo Alto’s cloud to the Cortex agent.
.webp)
This message contains command-line arguments instructing the agent to launch cortex-xdr-payload.exe with specific server and token values. Researchers decompiled this executable using PyInstaller extraction tools and the pylingual decompiler, uncovering that it is a Python 3.12 application.
.webp)
Inside the decompiled code, a significant logic flaw was found in how the server address is validated.
The function run_lrc_payload checks whether the server value ends with .paloaltonetworks.com, but it runs this check against the full URL string rather than the hostname alone.
This means a crafted URL like attacker.com/test.paloaltonetworks.com passes the check and connects to an attacker-owned server.
.webp)
In the cross-tenant attack, the attacker intercepts the WebSocket session token before it reaches their own machine and then uses it on the victim’s endpoint.
The victim’s machine connects to the attacker’s Cortex tenant, handing over full Live Terminal access through the official GUI.
.webp)
It is worth noting that the legitimate parent process for cortex-xdr-payload.exe is cyserver.exe, and any deviation from this should be treated as suspicious.
Palo Alto Networks was notified of these findings on September 30, 2025, and later said versions 8.7 through 8.9 contained a fix.
Testing done on February 23, 2026, using version 8.9.1 with the latest content updates showed the abuse and host bypass were still fully working, with no real fix in place.
Security teams should monitor process creation events and flag any case where cortex-xdr-payload.exe is launched by a parent process other than cyserver.exe.
Palo Alto Networks should implement mutual authentication and cryptographic command signing within the Live Terminal protocol.
A detection-only approach based on parent process rules is not enough. The feature’s architecture needs a secure-by-design redesign so that this kind of abuse is not possible at the protocol level.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
