Netskope Client
Monthly
Tamper Protection bypass in Netskope Client for Windows allows a malicious local administrator to disable or subvert the endpoint security agent by directly manipulating the Windows service object and associated registry keys, which are protected by overly permissive Discretionary Access Control Lists. All Netskope Client versions below R138 on Windows are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the gap is operationally significant in environments where insider threat, post-compromise lateral movement, or separation of duties between IT admins and security tooling are concerns.
Anti-tampering bypass in Netskope Client for Windows (all versions prior to R138) allows a local administrator to send crafted IOCTL requests directly to the NSClient kernel driver, completely neutralizing the product's self-protection mechanisms. The flaw arises from CWE-782 - an IOCTL interface exposed by the driver without sufficient access controls - meaning a privileged insider can issue arbitrary control operations the driver was not designed to accept from untrusted callers. No public exploit has been identified at time of analysis, and exploitation is constrained to actors who already hold administrative privileges on the endpoint, limiting the realistic threat to insider scenarios or post-compromise lateral movement by an attacker who has already achieved admin-level access.
Tamper Protection bypass in Netskope Client for Windows allows a malicious local administrator to disable or subvert the endpoint security agent by directly manipulating the Windows service object and associated registry keys, which are protected by overly permissive Discretionary Access Control Lists. All Netskope Client versions below R138 on Windows are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the gap is operationally significant in environments where insider threat, post-compromise lateral movement, or separation of duties between IT admins and security tooling are concerns.
Anti-tampering bypass in Netskope Client for Windows (all versions prior to R138) allows a local administrator to send crafted IOCTL requests directly to the NSClient kernel driver, completely neutralizing the product's self-protection mechanisms. The flaw arises from CWE-782 - an IOCTL interface exposed by the driver without sufficient access controls - meaning a privileged insider can issue arbitrary control operations the driver was not designed to accept from untrusted callers. No public exploit has been identified at time of analysis, and exploitation is constrained to actors who already hold administrative privileges on the endpoint, limiting the realistic threat to insider scenarios or post-compromise lateral movement by an attacker who has already achieved admin-level access.