Threat Signal Report

Multiple ZTNA Products Authentication Bypass

What is the Vulnerability?	A series of critical vulnerabilities affecting leading zero trust platforms - Zscaler, Netskope, and Check Point (Perimeter 81) - have been disclosed following a seven-month research campaign by security researchers David Cash and Richard Warren. These flaws include authentication bypasses, privilege escalation, and hardcoded credentials, significantly weakening the core security assumptions of zero-trust environments. Zscaler (CVE-2025-54982): The most severe flaw is CVE-2025-54982, which affects Zscaler’s SAML authentication mechanism. The vulnerability arises from the improper verification of cryptographic signatures in Zscaler's SAML authentication mechanism, allowing attackers to craft forged SAML assertions and bypass authentication, thereby posing a significant risk to data integrity and confidentiality. Netskope: Multiple client-side vulnerabilities were discovered. CVE-2024-7401 allows unauthorized client enrollment by abusing static, non-rotatable “OrgKey” tokens. Additional pending CVEs describe: Cross-organization user impersonation using shared OrgKey values and a Privilege escalation issue. Check Point (Perimeter 81): Check Point’s Perimeter 81 platform suffers from a critical vulnerability involving hard-coded SFTP credentials. These credentials grant unauthorized access to client log files and JWT authentication tokens across multiple tenants, violating zero-trust isolation principles. No CVE has been assigned at this time.
What is the recommended Mitigation?	There is currently no confirmed in-the-wild exploitation, but public disclosure and high-risk potential suggest that proof-of-concept (PoC) attacks are likely imminent. Due to the low attack complexity and high severity, exploitation in the wild is considered highly probable in the near term. Zscaler has released a patch for CVE-2025-54982, and it has been remediated in all Zscaler Clouds. Customers are strongly advised to update the SAML authentication module, enforce strict digital signature validation, and rotate credentials that may have been exposed. Zscaler Trust Netskope has issued an advisory for CVE-2024-7401. NSKPSA-2024-001 - Netskope Check Point has not yet issued a patch or advisory for the vulnerability in Perimeter 81. Until a fix is available, customers should rotate any hardcoded or shared SFTP credentials, restrict SFTP access, and monitor access logs for anomalous activity.
What FortiGuard Coverage is available?	FortiGuard Labs is currently analyzing the vulnerabilities and monitoring for indicators of compromise (IOCs). Signature detections and threat Signal will be updated as information becomes available. The FortiGuard Incident Response team can be engaged to help with any suspected compromise.