Major vendor vulnerabilities span authentication and design flaws
The research exposed critical vulnerabilities across Check Point, Zscaler and Netskope that fell into three primary categories: authentication bypasses, credential storage failures and cross-tenant exploitation.
Authentication bypass vulnerabilities
Zscaler’s SAML implementation contained the most severe authentication flaw. The researchers discovered that the signature on the SAML assertion was only checked for presence, and it wasn’t validated against the identity provider’s public key. This allowed complete bypass of identity provider authentication by forging SAML responses with invalid signatures.
Netskope suffered from a similar but more fundamental bypass. The enrollment API required no authentication, allowing attackers to register devices using only leaked organization keys and valid email addresses.
Check Point’s vulnerability centered on hard-coded encryption keys embedded in client binaries. These keys protected diagnostic log uploads containing JSON Web Tokens (JWTs) that lived for 30 days creating a potential compromise scenario for any customer who had uploaded logs to support.
Credential storage and token management flaws
All three vendors implemented weak credential storage mechanisms. Zscaler stored Device Token Authentication credentials in Windows registry in clear text, allowing local attackers to extract tokens and impersonate any user by modifying registry values. Netskope’s “Secure Enrollment” tokens used DPAPI encryption with insufficient protection.
Vendor response and remediation
Vendor responses varied significantly in speed and effectiveness. According to the researchers, Zscaler responded most rapidly, initially patching their SAML vulnerability (CVE-2025-54982) within four hours. However, the fix introduced compatibility issues requiring a rollback before a permanent solution was implemented.
