Introduction

At DEF CON 33, AmberWolf presented the results of a research campaign investigating the security of Zero Trust Network Access solutions (specifically Zscaler, NetSkope and Check Point Harmony SASE). Our research uncovered critical flaws in these market leading solutions, allowing attackers to escalate privileges on end user devices and to completely bypass authentication, granting access internal resources as any user!

The era of the VPN for corporate network access is coming to an end. A steady stream of VPN appliance vulnerabilities exploited in the wild by ransomware groups, along with renewed interest in VPN clients as an attack surface (including our previous work on NachoVPN), has left organisations facing difficult choices when selecting remote access solutions.

Enter the Zero Trust Network Access (ZTNA) vendors, armed with substantial marketing budgets, sleek interfaces and promising the next-generation security practice of “always verify, never trust”. The architectural differences between traditional VPNs and ZTNA can enable more granular access controls, improved role separation and continuous identity verification.

Building on our previous research into the Cato Networks client, we decided to examine the security of these next-generation ZTNA solutions to determine whether they lived up to their claims. We presented our findings at DEF CON 33 in Las Vegas in our talk “Zero Trust, Total Bust: Breaking into Thousands of Cloud-Based VPNs with One Bug”. In this session, we demonstrated critical authentication bypasses, cross-tenant user impersonation attacks, and privilege escalation exploits affecting Zscaler, Netskope and Check Point zero trust products, and posed the question: how much trust can you really place in your Zero Trust vendor?

You can find a copy of our slides on our GitHub, and the video recording here.

Our Findings

Over a seven-month period, AmberWolf researchers David Cash and Richard Warren identified a range of vulnerabilities in leading ZTNA products from Netskope, Zscaler and Check Point:

• Netskope – Authentication Bypass in IdP Enrolment Mode

  • Full authentication bypass and user impersonation vulnerability when a non-revocable “OrgKey” value is known.

• Netskope – Cross-tenant Authentication Bypass

  • Full authentication bypass and user impersonation vulnerability when a non-revocable “OrgKey” value is known, alongside any enrolment key. This key does not need to be associated with the same tenant as the OrgKey.

• Netskope – Local Privilege Escalation via Rogue Server (CVE-2025-0309)

  • Local privilege escalation to SYSTEM by coercing the Netskope client to communicate with a rogue server.

• Zscaler – SAML Authentication Bypass (CVE-2025-54982)

  • Full authentication bypass, as Zscaler failed to validate that SAML assertions were correctly signed.

• Check Point – Hard-coded SFTP key (CVE-2025-3831)

  • Access to an SFTP server containing client logs for multiple tenants, including files with JWT material that could allow authentication against the Harmony SASE service.

For all vulnerabilities where a full authentication bypass was achieved, this resulted in access to both the web proxies as the impersonated user and the “Private Access” services. These services allow routing traffic to internal resources, potentially enabling compromise of on-premises environments.

Regarding the authentication bypass in IdP enrolment mode in Netskope, the vendor informed us that this was a known issue, originally reported by Sander di Wit and tracked as CVE-2024-7401 / NSKPSA-2024-001. AmberWolf was not aware of this prior disclosure at the time of the research and wishes to acknowledge Sander di Wit as the original reporter.

Advisories

Following the presentation, we are publishing detailed advisories documenting the vulnerabilities disclosed during our presentation. These advisories include technical descriptions, attack vectors, and mitigations, to help organisations protect themselves against these threats. By sharing this information, we aim to raise awareness and drive improvements in the security practices of both developers and end-users. Our advisory for CVE-2025-54982 has already been published, with further advisories to be shared over the coming weeks.

Closing Thoughts

We were surprised to find that Netskope still supported an authentication method they have publicly documented as exploitable. They have also confirmed seeing in-the-wild exploitation, as noted on their own advisory page: “Netskope has received isolated reports of abuse of this known exploit by Bug Bounty hunters.” Netskope have stated that their customers have been advised to move away from this insecure configuration, with Secure Enrolment becoming the default in all new tenants as of February 2025. However, as of August 2025, AmberWolf is aware of many organisations still using this enrolment mode, around 16 months after the vulnerability was first reported, who were likely to be NetSkope customers before February 2025.

There is also a notable difference in how vendors handle server-side vulnerabilities. Zscaler issued a CVE for a SAML authentication bypass. Netskope, on the other hand, has consistently stated that they do not issue CVEs for server-side issues. This raises important questions about vendor transparency. How can organisations using SASE understand their exposure and evaluate their risk if they are unaware of vulnerabilities in the platforms they depend on?

In February 2025, the UK National Cyber Security Centre (NCSC) published Guidance on digital forensics and protective monitoring specifications for producers of network devices and appliances. This sets out their expectations for the minimum level of forensic visibility that edge device vendors should provide in their appliances. The guidance highlights several key areas of evidence capture that are essential for detecting and investigating malicious activity on edge devices, including:

• Minimum logging standards
• Standards for remote logging
• Forensic data acquisition requirements

According to the NCSC, “Network devices and appliances are prime targets for malicious actors because they play a crucial role managing and processing traffic.”

When organisations outsource the management and processing of traffic to ZTNA vendors, they should seek clear assurances that these standards are being met. Just as importantly, they need confidence that if a vulnerability is ever discovered, they will be informed.

We hope this research encourages organisations to verify the security of the products that act as gatekeepers to their networks, to seek assurances, both contractual and evidential, about the data available to them in the event of an incident, and to ensure that server-side vulnerabilities are reported transparently. This transparency allows organisations to apply their own risk appetite to their technology stack and to understand how often their vendors are introducing risks.

Follow us on LinkedIn, Twitter and Bluesky, and stay tuned for the detailed blog series.

Updates

• 2025-08-15 - Updated article to add CVE Numbers for Check Point and Netskope Client (Which had not been issued prior to publication). Updated link to “Netskope – Arbitrary (cross-organisation) user impersonation advisory”. Additionally, added link to GitHub with our slides.