Client Connector
CVE-2024-23457
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (zscaler) · only source for this CVE.
CVSS VectorVendor: zscaler
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
The anti-tampering functionality of the Zscaler Client Connector can be disabled under certain conditions when an uninstall password is enforced. This affects Zscaler Client Connector on Windows prior to 4.2.0.209
AnalysisAI
The anti-tampering functionality of the Zscaler Client Connector can be disabled under certain conditions when an uninstall password is enforced. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. The anti-tampering functionality of the Zscaler Client Connector can be disabled under certain conditions when an uninstall password is enforced. This affects Zscaler Client Connector on Windows prior to 4.2.0.209 Affected products include: Zscaler Client Connector. Version information: prior to 4.2.0.209.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply principle of least privilege, validate privilege transitions, implement proper role separation.
More in Client Connector
View allDHCP can add routes to a client’s routing table via the classless static route option (121). Rated high severity (CVSS 7
An Improper Input Validation vulnerability in Zscaler Client Connector on MacOS allows OS Command Injection.2. Rated cri
An Improper Link Resolution Before File Access ('Link Following') vulnerability in Zscaler Client Connector on Mac allow
A fallback mechanism in code sign checking on macOS may allow arbitrary code execution.2. Rated critical severity (CVSS
An Improper Input Validation vulnerability in Zscaler Client Connector on Linux allows Privilege Escalation.4.0.105. Rat
Anti-tampering protection of the Zscaler Client Connector can be bypassed under certain conditions when running the Repa
The Zscaler Updater process does not validate the digital signature of the installer before execution, allowing arbitrar
While copying individual autoupdater log files, reparse point check was missing which could result into crafted attacks,
The ZScaler service is susceptible to a local privilege escalation vulnerability found in the ZScalerService process. Ra
Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector on Linux allows Code Injectio
Origin Validation Error vulnerability in Zscaler Client Connector on Linux allows Inclusion of Code in Existing Process.
Buffer overflow vulnerability in the signelf library used by Zscaler Client Connector on Linux allows Code Injection.3.1
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today