Main vendor vulnerabilities span authentication and design flaws
The analysis uncovered essential vulnerabilities throughout Examine Level, Zscaler and Netskope that fell into three main classes: authentication bypasses, credential storage failures and cross-tenant exploitation.
Authentication bypass vulnerabilities
Zscaler’s SAML implementation contained probably the most extreme authentication flaw. The researchers found that the signature on the SAML assertion was solely checked for presence, and it wasn’t validated in opposition to the identification supplier’s public key. This allowed full bypass of identification supplier authentication by forging SAML responses with invalid signatures.
Netskope suffered from the same however extra elementary bypass. The enrollment API required no authentication, permitting attackers to register units utilizing solely leaked group keys and legitimate e-mail addresses.
Examine Level’s vulnerability centered on hard-coded encryption keys embedded in consumer binaries. These keys protected diagnostic log uploads containing JSON Net Tokens (JWTs) that lived for 30 days creating a possible compromise situation for any buyer who had uploaded logs to assist.
Credential storage and token administration flaws
All three distributors carried out weak credential storage mechanisms. Zscaler saved System Token Authentication credentials in Home windows registry in clear textual content, permitting native attackers to extract tokens and impersonate any consumer by modifying registry values. Netskope’s “Safe Enrollment” tokens used DPAPI encryption with inadequate safety.
Vendor response and remediation
Vendor responses assorted considerably in velocity and effectiveness. Based on the researchers, Zscaler responded most quickly, initially patching their SAML vulnerability (CVE-2025-54982) inside 4 hours. Nevertheless, the repair launched compatibility points requiring a rollback earlier than a everlasting answer was carried out.
