Skip to main content

Netskope Client EUVDEUVD-2025-210212

| CVE-2025-15641 MEDIUM
Exposed IOCTL with Insufficient Access Control (CWE-782)
2026-06-17 Netskope
6.8
CVSS 4.0 · Vendor: Netskope
Share

Severity by source

Vendor (Netskope) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
vuln.today AI
6.0 MEDIUM

Local attack requiring high privileges to reach kernel IOCTL; disabling security software constitutes integrity and availability impact; no confidentiality data is accessed.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Netskope).

CVSS VectorVendor: Netskope

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None

Lifecycle Timeline

3
Patch available
Jun 17, 2026 - 03:01 EUVD
Analysis Generated
Jun 17, 2026 - 02:16 vuln.today
CVE Published
Jun 17, 2026 - 01:31 cve.org
MEDIUM 6.8

DescriptionCVE.org

Netskope was notified about a potential gap in its Netskope Client for Windows systems where a malicious insider with administrative privileges can potentially tamper with the customer IOCTL by sending crafted IOCTL requests to the driver. A successful exploit can result in the bypassing of all anti-tampering protections for the NSClient.Affected Product(s) and Version(s)

  • Product Name: Netskope Client
  • Affected Platform: Windows
  • Affected Version: All version below R138

AnalysisAI

Anti-tampering bypass in Netskope Client for Windows (all versions prior to R138) allows a local administrator to send crafted IOCTL requests directly to the NSClient kernel driver, completely neutralizing the product's self-protection mechanisms. The flaw arises from CWE-782 - an IOCTL interface exposed by the driver without sufficient access controls - meaning a privileged insider can issue arbitrary control operations the driver was not designed to accept from untrusted callers. No public exploit has been identified at time of analysis, and exploitation is constrained to actors who already hold administrative privileges on the endpoint, limiting the realistic threat to insider scenarios or post-compromise lateral movement by an attacker who has already achieved admin-level access.

Technical ContextAI

The Netskope Client installs a Windows kernel-mode driver that enforces anti-tampering protections for the NSClient endpoint agent, a common design pattern in security software intended to prevent privileged users from disabling protective controls. This driver exposes an IOCTL (Input/Output Control) interface, the standard Windows mechanism for userland-to-driver communication. CWE-782 (Exposed IOCTL with Insufficient Access Control) describes the root cause: the driver fails to adequately validate or restrict which callers are permitted to issue sensitive control codes, allowing a local administrator to craft and submit IOCTL requests that trigger internal driver behaviors beyond what the normal client application would send. The CPE cpe:2.3:a:netskope:netskope_client:*:*:*:*:*:*:*:* covers all version lines on all platforms, but the vendor explicitly scopes impact to Windows deployments. The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:H/UI:N confirms local access with high privileges is required and that no special attack conditions beyond admin rights are needed.

RemediationAI

Upgrade Netskope Client to version R138 or later, as confirmed by the vendor advisory NSKPSA-2025-007 at https://www.netskope.com/resources/netskope-resources/netskope-security-advisory-nskpsa-2025-007. This is the primary and preferred fix. If immediate upgrading is not feasible, compensating controls should focus on reducing the insider threat surface: restrict local administrator rights on endpoints running Netskope Client to only operationally required accounts, monitor for unexpected IOCTL activity directed at Netskope driver handles using EDR telemetry or Windows ETW kernel tracing, and implement privileged access management (PAM) solutions to require just-in-time admin elevation with session recording. Note that these compensating controls reduce opportunity but do not eliminate the vulnerability - any account that legitimately holds or can obtain local admin rights retains the technical ability to exploit this flaw until patching is complete. Forcing admin sessions through an audited PAM gateway is the most operationally impactful interim control.

Share

EUVD-2025-210212 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy