AmberWolf security researchers unveiled devastating vulnerabilities in leading Zero Trust Network Access (ZTNA) solutions at DEF CON 33, demonstrating complete authentication bypasses and privilege escalation attacks against Zscaler, Netskope, and Check Point systems.
The seven-month investigation revealed that organizations relying on these “next-generation” security solutions may face significantly greater risks than traditional VPN deployments.
Vulnerabilities Discovered in Leading ZTNA Solutions
The research team identified multiple high-severity vulnerabilities across major ZTNA vendors.
In Zscaler’s implementation, researchers discovered CVE-2025-54982, a SAML authentication bypass vulnerability where the system failed to validate that SAML assertions were properly signed.
This flaw enabled complete authentication bypass, granting attackers access to both web proxies and “Private Access” services that route traffic to internal enterprise resources.
Netskope suffered from two distinct authentication bypass vulnerabilities.
The first involved an authentication bypass in Identity Provider (IdP) enrollment mode, while the second enabled arbitrary cross-organization user impersonation when attackers obtained a non-revocable “OrgKey” value alongside any enrollment key.
Additionally, researchers identified a local privilege escalation vulnerability (CVE pending) that allowed attackers to achieve SYSTEM-level privileges by coercing the Netskope client to communicate with a rogue server.
Check Point’s Perimeter 81 solution exposed a hard-coded SFTP key vulnerability, providing unauthorized access to an SFTP server containing client logs from multiple tenants, including files with JWT (JSON Web Token) material that could facilitate authentication against the service.
Authentication Bypass Exploits Expose Enterprise Networks
The authentication bypass vulnerabilities represent the most critical findings, as they provide attackers with complete access to internal network resources without legitimate credentials.
When successful exploitation occurs, attackers gain the ability to impersonate any user within the target organization, accessing both external web resources through corporate proxies and internal infrastructure through Private Access tunnels.
Particularly concerning is Netskope’s continued support for an authentication method they have publicly documented as exploitable since CVE-2024-7401 was reported in 2024.
Despite being aware of in-the-wild exploitation by bug bounty hunters, many organizations continue operating in this vulnerable configuration as of August 2025, approximately 16 months after initial disclosure.
Vendor Response and Industry Impact
The research highlights significant disparities in vendor transparency regarding security vulnerabilities.
While Zscaler issued CVE-2025-54982 for their SAML authentication bypass, Netskope consistently refuses to issue CVEs for server-side vulnerabilities, raising questions about organizational risk assessment capabilities.
Checkpoint confirmed with Cyberpress that “No action was required by our customers to protect themselves from this CVE. We can confirm that Check Point customers have not been exposed to this CVE since March.”
The UK National Cyber Security Centre’s February 2025 guidance on digital forensics and protective monitoring specifications emphasizes the critical importance of logging standards and forensic data acquisition requirements for network devices.
Organizations outsourcing traffic management to ZTNA vendors must demand clear assurances that these standards are met and that server-side vulnerabilities receive transparent disclosure, enabling proper risk evaluation and incident response capabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The seven-month investigation revealed that organizations relying on these "next-generation" security solutions may face significantly greater risks than traditional VPN deployments.){kind=link}