Critical cybersecurity vulnerabilities have been identified in enterprise-level Zero Trust Network Access solutions, potentially enabling malicious actors to breach corporate networks with relative ease.
AmberWolf security researchers unveiled these vulnerabilities during their DEF CON 33 presentation, demonstrating how attackers can exploit authentication weaknesses in products from industry leaders Zscaler, NetSkope, and Check Point to gain unauthorized access to sensitive internal systems and escalate privileges on endpoint devices.
Key Takeaways
1. Critical flaws in Zscaler, NetSkope, and Check Point allow attackers to bypass authentication.
2. Enable SYSTEM-level access and cross-tenant data exposure.
3. Unpatched flaws exploited in the wild for 16+ months.
Authentication Bypass Vulnerabilities
The most severe findings include multiple authentication bypass vulnerabilities that allow attackers to impersonate legitimate users without proper credentials.
In Zscaler’s implementation, researchers discovered a SAML authentication bypass tracked as CVE-2025-54982, where the platform failed to validate that SAML assertions were correctly signed.
This flaw enables complete authentication bypass, granting access to both web proxies and “Private Access” services that route traffic to internal corporate resources.
NetSkope’s vulnerabilities proved equally concerning, with researchers identifying an authentication bypass in Identity Provider (IdP) enrollment mode that was previously documented as CVE-2024-7401.
The company’s own security advisory acknowledges in-the-wild exploitation by bug bounty hunters, yet many organizations continue using this insecure configuration 16 months after initial disclosure.
Additionally, NetSkope suffers from arbitrary cross-organization user impersonation when attackers possess a non-revocable “OrgKey” value alongside any enrollment key, enabling complete authentication bypass across different tenants.
Privilege Escalation and Cross-Tenant Data Exposure
Beyond authentication bypasses, the research revealed privilege escalation vulnerabilities that could compromise endpoint security.
NetSkope’s client contains a local privilege escalation flaw, allowing attackers to achieve SYSTEM-level access by coercing the client to communicate with a rogue server.
This vulnerability, currently pending CVE assignment, demonstrates how ZTNA clients can become attack vectors for local system compromise, reads the AmberWolf report.
Check Point’s Perimeter 81 service exposed a hard-coded SFTP key vulnerability, providing unauthorized access to an SFTP server containing client logs from multiple tenants.
These logs include JWT material that could facilitate authentication against the Perimeter 81 service, representing a significant cross-tenant data exposure risk.
As organizations increasingly adopt ZTNA solutions to replace traditional VPNs, these discoveries underscore the importance of rigorous security validation and vendor accountability in protecting corporate network infrastructure from sophisticated threat actors.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
