Security researchers at AmberWolf have uncovered critical vulnerabilities in leading Zero Trust Network Access (ZTNA) solutions from major cybersecurity vendors, potentially exposing thousands of organizations to authentication bypasses and privilege escalation attacks.
The findings were presented at DEF CON 33 in Las Vegas, raising serious questions about the security of next-generation remote access technologies that are rapidly replacing traditional VPNs.
Critical Authentication Bypasses Discovered
The seven-month research campaign conducted by David Cash and Richard Warren revealed multiple high-severity flaws affecting Zscaler, Netskope, and Check Point’s Perimeter 81 products.
| Vendor | Product | Vulnerability | CVE |
| Netskope | Client | Authentication bypass in IdP enrollment | CVE-2024-7401 |
| Netskope | Client | Cross-organization user impersonation | Pending |
| Netskope | Client | Privilege escalation via rogue server | Pending |
| Zscaler | Platform | SAML authentication bypass | CVE-2025-54982 |
| Check Point | Perimeter 81 | Hard-coded SFTP credentials | Not assigned |
These vulnerabilities enable attackers to completely bypass authentication mechanisms, impersonate users across different organizations, and gain unauthorized access to internal corporate resources.
The most severe issues include a SAML authentication bypass in Zscaler’s platform, where the system failed to properly validate digitally signed assertions, and multiple authentication bypass vulnerabilities in Netskope’s products that exploit non-revocable “OrgKey” values.
These flaws essentially allow attackers to masquerade as legitimate users without requiring valid credentials.
The discovered vulnerabilities have far-reaching implications for organizations that have adopted ZTNA solutions as their primary remote access technology.
Unlike traditional VPN vulnerabilities that typically affect network perimeter security, these flaws compromise the core trust mechanisms that these platforms are built upon.
Particularly concerning is Netskope’s continued support for an authentication method that the company has publicly documented as exploitable.
Despite being aware of in-the-wild exploitation by bug bounty hunters, many organizations remain vulnerable 16 months after the initial disclosure.
AmberWolf researchers found evidence of widespread use of these insecure configurations across multiple customer deployments.
The research highlighted significant differences in how vendors handle vulnerability disclosure and transparency.
While Zscaler issued CVE-2025-54982 for their SAML authentication bypass, Netskope has maintained a policy of not issuing CVEs for server-side vulnerabilities.
This inconsistency raises important questions about how organizations can properly assess their risk exposure when vendors don’t uniformly disclose security issues.
Check Point’s vulnerability involved hard-coded SFTP credentials that provided access to client logs from multiple tenants, including sensitive JWT authentication material.
This type of multi-tenant data exposure represents a particularly serious breach of customer trust and data isolation.
These findings underscore the importance of rigorous security testing for ZTNA platforms, especially as organizations increasingly rely on these solutions to protect critical infrastructure and sensitive data.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
