You are currently viewing Zero Trust Under Fire: Critical Flaws Expose Check Point, Zscaler, and Netskope Users

Zero Trust Under Fire: Critical Flaws Expose Check Point, Zscaler, and Netskope Users

  • Post author:
  • Reading time:4 mins read

Security researchers have uncovered critical vulnerabilities in leading Zero Trust Network Access (ZTNA) solutions from major cybersecurity vendors, including Zscaler, Netskope, and Check Point. These findings, presented at DEF CON 33 in Las Vegas, highlight potential authentication bypasses, privilege escalation attacks, and cross-tenant data exposure, raising significant concerns about the security of technologies designed to replace traditional VPNs.

Critical Authentication Bypasses Discovered

A seven-month research campaign revealed multiple high-severity flaws across Zscaler, Netskope, and Check Point’s Perimeter 81 products. These vulnerabilities could enable attackers to bypass authentication mechanisms entirely, impersonate users across multiple organizations, and gain unauthorized access to internal corporate resources.

Key vulnerabilities identified include:

  • Netskope Client:
    • Authentication bypass in Identity Provider (IdP) enrollment (CVE-2024-7401)
    • Cross-organization user impersonation (Pending CVE)
    • Privilege escalation via rogue server (Pending CVE)
  • Zscaler Platform:
  • Check Point Perimeter 81:
    • Hard-coded SFTP credentials (Not assigned CVE)

Vulnerability Details

  • Zscaler (CVE-2025-54982): The SAML authentication bypass in Zscaler’s platform occurs due to an improper verification of cryptographic signatures in its SAML authentication mechanism. This flaw enables complete authentication bypass, granting access to both web proxies and “Private Access” services that route traffic to internal corporate resources. Zscaler has stated that the issue has been remediated across all Zscaler Clouds and that their security team found no evidence of exploitation in their environment.
  • Netskope (CVE-2024-7401): This critical vulnerability involves an authentication bypass in the Identity Provider (IdP) enrollment mode of the Netskope Client, which utilizes a static “Orgkey” token as an authentication parameter. If leaked, this static token cannot be rotated or revoked, allowing a malicious actor to enroll the Netskope Client from a customer’s tenant and impersonate a user. This vulnerability has been assigned a CVSS v4 base score of 8.5 (High). Netskope’s security advisories acknowledge in-the-wild exploitation by bug bounty hunters, with many organizations remaining vulnerable 16 months after initial disclosure. Additionally, arbitrary cross-organization user impersonation is possible when attackers possess a non-revocable “OrgKey” value alongside any enrollment key, enabling complete authentication bypass across different tenants.
  • Check Point Perimeter 81: This vulnerability involves hard-coded SFTP credentials that provided unauthorized access to an SFTP server. This server contained client logs from multiple tenants, including sensitive JWT authentication material that could facilitate authentication against the Perimeter 81 service. This represents a significant cross-tenant data exposure risk.

Tactics, Techniques, and Procedures (TTPs)

Attackers can exploit authentication weaknesses in Zscaler, Netskope, and Check Point products to gain unauthorized access to sensitive internal systems and escalate privileges on endpoint devices.

  • TA0001 – Initial Access: Exploit Public-Facing Application (T1190)
    • Attackers exploit the authentication bypass and other vulnerabilities in ZTNA solutions to gain unauthorized access.
  • TA0004 – Privilege Escalation: Exploitation for Privilege Escalation (T1068)
    • The NetSkope client contains a local privilege escalation flaw, allowing attackers to achieve SYSTEM-level access by coercing the client to communicate with a rogue server.
  • TA0006 – Credential Access: Credentials from Password Stores (T1555)
    • Check Point’s hard-coded SFTP credentials provide unauthorized access to an SFTP server containing client logs, including JWT material.

Mitigation & Recommendations

While specific, detailed mitigation steps from all vendors are not extensively outlined in public reports, it is crucial for organizations to take proactive measures:

  • Apply Security Updates: It is paramount to apply any security updates or patches released by the vendors as soon as they become available. Zscaler has already remediated its vulnerability. Netskope has a patch available for CVE-2024-7401.
  • Rigorous Security Testing: Organizations should perform rigorous security testing for ZTNA platforms, especially as they increasingly rely on these solutions to protect critical infrastructure and sensitive data.
  • Vendor Accountability: Organizations must demand clear assurances from vendors regarding security standards, transparent disclosure of server-side vulnerabilities, and proper risk evaluation.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software solution designed to instantly fix risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as over 550 third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.