👉 Full blog + demo:

A long time ago (well… last year), in a protocol handler not so far away, we showed how Delinea’s URL handler could be abused during update (CVE-2024-12908). We’ve now found a new path using msiexec’s PATCH to pull a remote MSP and execute code - even when the MSI is signed!

🌌✨ The Saga Continues: MSI Strikes Back ✨🌌 TL;DR: Bypass for CVE-2024-12908 - Code execution via Delinea's protocol handler is back. Patch now!

Netskope has not issued a CVE, noting only in release notes that a “𝘴𝘦𝘤𝘶𝘳𝘪𝘵𝘺 𝘨𝘢𝘱” was fixed. Full technical details are on our blog: https://t.co/whdQdKrtOT

We also found all the credential material needed to exploit it available through OSINT, meaning the risk was not necessarily limited to other customers.

This flaw could allow an attacker in one organisation to bypass authentication and enrol users in another, gaining the same network access as the impersonated account.

As part of our ongoing ZTNA research series, we identified a cross-tenant authentication bypass in Netskope Secure Enrolment, disclosed on 14 March 2025 and patched in release R126 on 12 May 2025.

𝐉𝐮𝐬𝐭 𝐛𝐞𝐜𝐚𝐮𝐬𝐞 𝐢𝐭 𝐬𝐚𝐲𝐬 “𝐒𝐞𝐜𝐮𝐫𝐞” 𝐝𝐨𝐞𝐬 𝐧𝐨𝐭 𝐦𝐞𝐚𝐧 𝐢𝐭 𝐢𝐬 Authentication bypasses are not always just about going from unauthenticated to authenticated. What if other customers could gain access to your multi-tenant environment?

Netskope have released NSKPSA-2025-002 / CVE-2025-0309 for one of the privilege escalation vulnerabilities discussed during our #ZeroTrustTotalBust DEFCON talk Full writeup and PoC to follow on the @AmberWolfSec blog😉 https://t.co/wIrvDrb4gc

https://t.co/ODNiC71cqD

You can read about our overall research project at https://t.co/AEPWfEKwrZ and learn about a SAML Authentication bypass in Zscaler (CVE-2025-54982) at

Our research uncovered critical flaws in these market leading solutions, allowing attackers to escalate privileges on end user devices and to completely bypass authentication, granting access internal resources as any user!

Breaking Into Your Network? Zer0 Effort. - DEF CON 33 Overview and Advisory - Zscaler SAML Authentication Bypass (CVE-2025-54982). Following on from our DEF CON 33 presentation, the first two blog posts in our series on Zero Trust Network access abuse are now live.

Maybe some info at #defcon33 on Saturday, Track 3, 15:30 "Zero Trust, Total Bust - Breaking into thousands of cloud-based VPNs with one bug"

If you want to understand why ZTNA solutions are not the answer to the problems highlighted by NachoVPN, you can attend our presentation, “Zero Trust, Total Bust – Breaking into thousands of cloud VPNs with one bug”, at DEF CON on Saturday 9th August at 15:30, Track 3.

Read our blog post to learn more about the NachoVPN updates, the underlying bypasses and techniques that make obtaining SYSTEM shells possible, and how you can mitigate this in your environment.

Blog: https://t.co/KZxhhwPoZ8 Code:

• Adds support for Impacket https://t.co/bXbLvxI27q, making it easier to serve payloads over the tunnel. • Includes a bypass for CVE-2020-8241, allowing you, once again, to gain SYSTEM access using the Ivanti Connect Secure Client.

Today, we are releasing an update to NachoVPN that: • Adds support for full VPN tunnelling and packet forwarding. This enables NachoVPN not only to behave like a VPN up to the point of connection, but to implement a fully functional VPN tunnel.

𝐍𝐞𝐰 𝐁𝐥𝐨𝐠: 𝐍𝐚𝐜𝐡𝐨𝐕𝐏𝐍 – 𝐍𝐨𝐰 𝐖𝐢𝐭𝐡 𝐌𝐨𝐫𝐞 𝐕𝐏𝐍 (𝐀𝐧𝐝 𝐒𝐘𝐒𝐓𝐄𝐌 𝐒𝐡𝐞𝐥𝐥𝐬) Ahead of presenting our Zero Trust Network Access research at DEF CON 33, we thought it appropriate to release some updates to NachoVPN to keep SSL VPN enthusiasts happy.