Main vendor vulnerabilities span authentication and design flaws
The analysis uncovered vital vulnerabilities throughout Examine Level, Zscaler and Netskope that fell into three main classes: authentication bypasses, credential storage failures and cross-tenant exploitation.
Authentication bypass vulnerabilities
Zscaler’s SAML implementation contained essentially the most extreme authentication flaw. The researchers found that the signature on the SAML assertion was solely checked for presence, and it wasn’t validated towards the identification supplier’s public key. This allowed full bypass of identification supplier authentication by forging SAML responses with invalid signatures.
Netskope suffered from an analogous however extra elementary bypass. The enrollment API required no authentication, permitting attackers to register units utilizing solely leaked group keys and legitimate e mail addresses.
Examine Level’s vulnerability centered on hard-coded encryption keys embedded in shopper binaries. These keys protected diagnostic log uploads containing JSON Internet Tokens (JWTs) that lived for 30 days creating a possible compromise situation for any buyer who had uploaded logs to assist.
Credential storage and token administration flaws
All three distributors applied weak credential storage mechanisms. Zscaler saved Machine Token Authentication credentials in Home windows registry in clear textual content, permitting native attackers to extract tokens and impersonate any consumer by modifying registry values. Netskope’s “Safe Enrollment” tokens used DPAPI encryption with inadequate safety.
Vendor response and remediation
Vendor responses diverse considerably in pace and effectiveness. In keeping with the researchers, Zscaler responded most quickly, initially patching their SAML vulnerability (CVE-2025-54982) inside 4 hours. Nonetheless, the repair launched compatibility points requiring a rollback earlier than a everlasting answer was applied.