Multiple ZTNA Products Authentication Bypass

Byadmblake August 15, 2025

What is the Vulnerability?A series of critical vulnerabilities affecting leading zero trust platforms – Zscaler, Netskope, and Check Point (Perimeter 81) – have been disclosed following a seven-month research campaign by security researchers David Cash and Richard Warren. These flaws include authentication bypasses, privilege escalation, and hardcoded credentials, significantly weakening the core security assumptions of zero-trust environments.Zscaler (CVE-2025-54982): The most severe flaw is CVE-2025-54982, which affects Zscaler’s SAML authentication mechanism. The vulnerability arises from the improper verification of cryptographic signatures in Zscaler’s SAML authentication mechanism, allowing attackers to craft forged SAML assertions and bypass authentication, thereby posing a significant risk to data integrity and confidentiality. Netskope: Multiple client-side vulnerabilities were discovered. CVE-2024-7401 allows unauthorized client enrollment by abusing static, non-rotatable “OrgKey” tokens. Additional pending CVEs describe: Cross-organization user impersonation using shared OrgKey values and a Privilege escalation issue. Check Point (Perimeter 81): Check Point’s Perimeter 81 platform suffers from a critical vulnerability involving hard-coded SFTP credentials. These credentials grant unauthorized access to client log files and JWT authentication tokens across multiple tenants, violating zero-trust isolation principles. No CVE has been assigned at this time.What is the recommended Mitigation?There is currently no confirmed in-the-wild exploitation, but public disclosure and high-risk potential suggest that proof-of-concept (PoC) attacks are likely imminent. Due to the low attack complexity and high severity, exploitation in the wild is considered highly probable in the near term.Zscaler has released a patch for CVE-2025-54982, and it has been remediated in all Zscaler Clouds. Customers are strongly advised to update the SAML authentication module, enforce strict digital signature validation, and rotate credentials that may have been exposed. Zscaler TrustNetskope has issued an advisory for CVE-2024-7401. NSKPSA-2024-001 – NetskopeCheck Point has not yet issued a patch or advisory for the vulnerability in Perimeter 81. Until a fix is available, customers should rotate any hardcoded or shared SFTP credentials, restrict SFTP access, and monitor access logs for anomalous activity. What FortiGuard Coverage is available?FortiGuard Labs is currently analyzing the vulnerabilities and monitoring for indicators of compromise (IOCs). Signature detections and threat Signal will be updated as information becomes available.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

Blog

Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool

A China-aligned advanced persistent threat (APT) group called TheWizards has been linked to a lateral movement tool called Spellbinder that can facilitate adversary-in-the-middle (AitM) attacks. “Spellbinder enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration (SLAAC) spoofing, to move laterally in the compromised network, intercepting packets and

Read More Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool
Blog

DoJ Seizes 145 Domains Tied to BidenCash Carding Marketplace in Global Takedown

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of cryptocurrency funds and about 145 clearnet and dark web domains associated with an illicit carding marketplace called BidenCash. “The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information,” the…

Read More DoJ Seizes 145 Domains Tied to BidenCash Carding Marketplace in Global Takedown
Blog

Nation-State Threats Put SMBs in Their Sights

Cyberthreat groups increasingly see small and medium businesses, especially those with links to larger businesses, as the weak link in the supply chain for software and IT services.

Read More Nation-State Threats Put SMBs in Their Sights
Blog

Malicious PyPI Package Targets MEXC Trading API to Steal Credentials and Redirect Orders

Cybersecurity researchers have disclosed a malicious package uploaded to the Python Package Index (PyPI) repository that’s designed to reroute trading orders placed on the MEXC cryptocurrency exchange to a malicious server and steal tokens. The package, ccxt-mexc-futures, purports to be an extension built on top of a popular Python library named ccxt (short for CryptoCurrency…

Read More Malicious PyPI Package Targets MEXC Trading API to Steal Credentials and Redirect Orders
Blog

Intel Maps New vPro Chips to MITRE’s ATT&CK Framework

The PC Security Stack Mappings project improves the security posture of corporate PCs by aligning each of the security features found in vPro PC and Core Ultra chips with the techniques described in MITRE’s ATT&CK.

Read More Intel Maps New vPro Chips to MITRE’s ATT&CK Framework
Blog

Are We Prioritizing the Wrong Security Metrics?

True security isn’t about meeting deadlines — it’s about mitigating risk in a way that aligns with business objectives while protecting against real-world threats.

Read More Are We Prioritizing the Wrong Security Metrics?

Related