Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Local attack requiring high privileges to reach kernel IOCTL; disabling security software constitutes integrity and availability impact; no confidentiality data is accessed.
Primary rating from Vendor (Netskope).
CVSS VectorVendor: Netskope
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
3DescriptionCVE.org
Netskope was notified about a potential gap in its Netskope Client for Windows systems where a malicious insider with administrative privileges can potentially tamper with the customer IOCTL by sending crafted IOCTL requests to the driver. A successful exploit can result in the bypassing of all anti-tampering protections for the NSClient.Affected Product(s) and Version(s)
- Product Name: Netskope Client
- Affected Platform: Windows
- Affected Version: All version below R138
AnalysisAI
Anti-tampering bypass in Netskope Client for Windows (all versions prior to R138) allows a local administrator to send crafted IOCTL requests directly to the NSClient kernel driver, completely neutralizing the product's self-protection mechanisms. The flaw arises from CWE-782 - an IOCTL interface exposed by the driver without sufficient access controls - meaning a privileged insider can issue arbitrary control operations the driver was not designed to accept from untrusted callers. No public exploit has been identified at time of analysis, and exploitation is constrained to actors who already hold administrative privileges on the endpoint, limiting the realistic threat to insider scenarios or post-compromise lateral movement by an attacker who has already achieved admin-level access.
Technical ContextAI
The Netskope Client installs a Windows kernel-mode driver that enforces anti-tampering protections for the NSClient endpoint agent, a common design pattern in security software intended to prevent privileged users from disabling protective controls. This driver exposes an IOCTL (Input/Output Control) interface, the standard Windows mechanism for userland-to-driver communication. CWE-782 (Exposed IOCTL with Insufficient Access Control) describes the root cause: the driver fails to adequately validate or restrict which callers are permitted to issue sensitive control codes, allowing a local administrator to craft and submit IOCTL requests that trigger internal driver behaviors beyond what the normal client application would send. The CPE cpe:2.3:a:netskope:netskope_client:*:*:*:*:*:*:*:* covers all version lines on all platforms, but the vendor explicitly scopes impact to Windows deployments. The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:H/UI:N confirms local access with high privileges is required and that no special attack conditions beyond admin rights are needed.
RemediationAI
Upgrade Netskope Client to version R138 or later, as confirmed by the vendor advisory NSKPSA-2025-007 at https://www.netskope.com/resources/netskope-resources/netskope-security-advisory-nskpsa-2025-007. This is the primary and preferred fix. If immediate upgrading is not feasible, compensating controls should focus on reducing the insider threat surface: restrict local administrator rights on endpoints running Netskope Client to only operationally required accounts, monitor for unexpected IOCTL activity directed at Netskope driver handles using EDR telemetry or Windows ETW kernel tracing, and implement privileged access management (PAM) solutions to require just-in-time admin elevation with session recording. Note that these compensating controls reduce opportunity but do not eliminate the vulnerability - any account that legitimately holds or can obtain local admin rights retains the technical ability to exploit this flaw until patching is complete. Forcing admin sessions through an audited PAM gateway is the most operationally impactful interim control.
More in Netskope Client
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210212