Skip to main content

Netskope Client CVE-2025-15642

| EUVDEUVD-2025-210211 MEDIUM
Incorrect Default Permissions (CWE-276)
2026-06-17 Netskope
6.8
CVSS 4.0 · Vendor: Netskope
Share

Severity by source

Vendor (Netskope) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
vuln.today AI
6.0 MEDIUM

Local attack requiring high admin privileges; DACLs are misconfigured by default so AC:L; no confidentiality impact; integrity and availability both high as the security service can be stopped or modified.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Netskope).

CVSS VectorVendor: Netskope

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None

Lifecycle Timeline

3
Patch available
Jun 17, 2026 - 03:01 EUVD
Analysis Generated
Jun 17, 2026 - 02:17 vuln.today
CVE Published
Jun 17, 2026 - 01:48 cve.org
MEDIUM 6.8

DescriptionCVE.org

Netskope is notified about a potential gap in its Netskoped Client for Windows systems where a malicious insider with admin privileges can lead to bypassing the NSClient Tamper Protections due to weak Discretionary Access Control List (DACLs) on the service object and related registry keys,.

  • Product Name: Netskope Client
  • Affected Platform: Windows
  • Affected Version: All version below R138

AnalysisAI

Tamper Protection bypass in Netskope Client for Windows allows a malicious local administrator to disable or subvert the endpoint security agent by directly manipulating the Windows service object and associated registry keys, which are protected by overly permissive Discretionary Access Control Lists. All Netskope Client versions below R138 on Windows are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the gap is operationally significant in environments where insider threat, post-compromise lateral movement, or separation of duties between IT admins and security tooling are concerns.

Technical ContextAI

Netskope Client (CPE: cpe:2.3:a:netskope:netskope_client:*:*:*:*:*:*:*:*) is a Windows endpoint security agent that includes a Tamper Protection mechanism designed to prevent modification or disabling of the client even by privileged users. The vulnerability is classified as CWE-276 (Incorrect Default Permissions), meaning the Windows Discretionary Access Control Lists (DACLs) applied to the NSClient Windows service object and its related registry keys are insufficiently restrictive. On a correctly hardened endpoint security product, service DACLs would be set to deny modification even to local administrators, enforcing the tamper protection boundary at the OS level. Here, the DACLs grant local admins sufficient access to interact directly with the service control manager entry and registry paths, circumventing the intended protection. This is a configuration-level security failure in the installer or service registration logic rather than a memory corruption or injection flaw.

RemediationAI

Upgrade Netskope Client to version R138 or later, which corrects the weak DACL assignments on the NSClient service object and related registry keys per Netskope Security Advisory NSKPSA-2025-008 (https://www.netskope.com/resources/netskope-resources/netskope-security-advisory-nskpsa-2025-008). For environments unable to deploy R138 immediately, apply endpoint privilege management controls to restrict which accounts hold local administrator rights on endpoints running Netskope Client - specifically, prevent general IT admin accounts from having interactive local admin access to systems where the security agent must not be tampered with. Auditing Windows service DACLs using tools such as sc sdshow NSClient can identify whether the service object is accessible to admin accounts beyond SYSTEM and TrustedInstaller, helping confirm exposure. Enabling Windows event logging for service control manager events (Event ID 7040, 7045) and registry key modification auditing on the Netskope registry paths provides detective compensating control. Note that these mitigations reduce but do not eliminate the risk for accounts with legitimate local admin access.

Share

CVE-2025-15642 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy