Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Local attack requiring high admin privileges; DACLs are misconfigured by default so AC:L; no confidentiality impact; integrity and availability both high as the security service can be stopped or modified.
Primary rating from Vendor (Netskope).
CVSS VectorVendor: Netskope
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
3DescriptionCVE.org
Netskope is notified about a potential gap in its Netskoped Client for Windows systems where a malicious insider with admin privileges can lead to bypassing the NSClient Tamper Protections due to weak Discretionary Access Control List (DACLs) on the service object and related registry keys,.
- Product Name: Netskope Client
- Affected Platform: Windows
- Affected Version: All version below R138
AnalysisAI
Tamper Protection bypass in Netskope Client for Windows allows a malicious local administrator to disable or subvert the endpoint security agent by directly manipulating the Windows service object and associated registry keys, which are protected by overly permissive Discretionary Access Control Lists. All Netskope Client versions below R138 on Windows are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the gap is operationally significant in environments where insider threat, post-compromise lateral movement, or separation of duties between IT admins and security tooling are concerns.
Technical ContextAI
Netskope Client (CPE: cpe:2.3:a:netskope:netskope_client:*:*:*:*:*:*:*:*) is a Windows endpoint security agent that includes a Tamper Protection mechanism designed to prevent modification or disabling of the client even by privileged users. The vulnerability is classified as CWE-276 (Incorrect Default Permissions), meaning the Windows Discretionary Access Control Lists (DACLs) applied to the NSClient Windows service object and its related registry keys are insufficiently restrictive. On a correctly hardened endpoint security product, service DACLs would be set to deny modification even to local administrators, enforcing the tamper protection boundary at the OS level. Here, the DACLs grant local admins sufficient access to interact directly with the service control manager entry and registry paths, circumventing the intended protection. This is a configuration-level security failure in the installer or service registration logic rather than a memory corruption or injection flaw.
RemediationAI
Upgrade Netskope Client to version R138 or later, which corrects the weak DACL assignments on the NSClient service object and related registry keys per Netskope Security Advisory NSKPSA-2025-008 (https://www.netskope.com/resources/netskope-resources/netskope-security-advisory-nskpsa-2025-008). For environments unable to deploy R138 immediately, apply endpoint privilege management controls to restrict which accounts hold local administrator rights on endpoints running Netskope Client - specifically, prevent general IT admin accounts from having interactive local admin access to systems where the security agent must not be tampered with. Auditing Windows service DACLs using tools such as sc sdshow NSClient can identify whether the service object is accessible to admin accounts beyond SYSTEM and TrustedInstaller, helping confirm exposure. Enabling Windows event logging for service control manager events (Event ID 7040, 7045) and registry key modification auditing on the Netskope registry paths provides detective compensating control. Note that these mitigations reduce but do not eliminate the risk for accounts with legitimate local admin access.
More in Netskope Client
View allSame weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210211