CVE-2025-0309 (GCVE-0-2025-0309)
Vulnerability from cvelistv5
Published
2025-08-14 04:35
Modified
2025-08-15 12:58
Severity ?
6.0 (Medium) - CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:H/SI:H/SA:H
Summary
An insufficient validation on the server connection endpoint in Netskope Client allows local users to elevate privileges on the system. The insufficient validation allows Netskope Client to connect to any other server with Public Signed CA TLS certificates and send specially crafted responses to elevate privileges.
References
psirt@netskope.comhttps://blog.amberwolf.com/blog/2025/august/breaking-into-your-network-zer0-effort/
psirt@netskope.comhttps://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2025-002
Impacted products
Vendor Product Version
Netskope Netskope Client Version: 0   < 129.0.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0309",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-15T12:26:51.060701Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-295",
                "description": "CWE-295 Improper Certificate Validation",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-15T12:58:27.857Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Netskope Client",
          "vendor": "Netskope",
          "versions": [
            {
              "lessThan": "129.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Richard Warren"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An insufficient validation on the server connection endpoint in Netskope Client allows local users to elevate privileges on the system. The insufficient validation allows Netskope Client to connect to any other server with Public Signed CA TLS certificates and send specially crafted responses to elevate privileges."
            }
          ],
          "value": "An insufficient validation on the server connection endpoint in Netskope Client allows local users to elevate privileges on the system. The insufficient validation allows Netskope Client to connect to any other server with Public Signed CA TLS certificates and send specially crafted responses to elevate privileges."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "PHYSICAL",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-14T04:35:15.287Z",
        "orgId": "bf992f6a-e49d-4e94-9479-c4cff32c62bc",
        "shortName": "Netskope"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://blog.amberwolf.com/blog/2025/august/breaking-into-your-network-zer0-effort/"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2025-002"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update the Netskope Client to version 129.0.0 or newer"
            }
          ],
          "value": "Update the Netskope Client to version 129.0.0 or newer"
        }
      ],
      "source": {
        "advisory": "NSKPSA-2025-002",
        "discovery": "EXTERNAL"
      },
      "title": "Netskope Client Local Elevation of Privileges",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "There are multiple configurations which can mitigate and reduce potential exposure: \u003cbr\u003e\u003cul\u003e\u003cli\u003eBlock connection/access to any new domain or URLs to NS Client apart from goskope.com\u003c/li\u003e\u003cul\u003e\u003cli\u003eUse EDR tools to monitor connections from NS Client to any random domains and block it\u003c/li\u003e\u003c/ul\u003e\u003cli\u003e\n\nMonitor for addition of any self signed certificates in operating system certificate store\n\n\u003cbr\u003e\u003c/li\u003e\u003cli\u003eMonitor the status of NS Client\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
            }
          ],
          "value": "There are multiple configurations which can mitigate and reduce potential exposure: \n  *  Block connection/access to any new domain or URLs to NS Client apart from goskope.com\n  *  Use EDR tools to monitor connections from NS Client to any random domains and block it\n\n\n  *  \n\nMonitor for addition of any self signed certificates in operating system certificate store\n\n\n\n  *  Monitor the status of NS Client"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bf992f6a-e49d-4e94-9479-c4cff32c62bc",
    "assignerShortName": "Netskope",
    "cveId": "CVE-2025-0309",
    "datePublished": "2025-08-14T04:35:15.287Z",
    "dateReserved": "2025-01-07T14:23:56.898Z",
    "dateUpdated": "2025-08-15T12:58:27.857Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-0309\",\"sourceIdentifier\":\"psirt@netskope.com\",\"published\":\"2025-08-14T05:15:26.690\",\"lastModified\":\"2025-08-15T13:15:30.470\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An insufficient validation on the server connection endpoint in Netskope Client allows local users to elevate privileges on the system. The insufficient validation allows Netskope Client to connect to any other server with Public Signed CA TLS certificates and send specially crafted responses to elevate privileges.\"},{\"lang\":\"es\",\"value\":\"Una validaci\u00f3n insuficiente en el endpoint de conexi\u00f3n del servidor en Netskope Client permite a los usuarios locales elevar privilegios en el sistema. Esta validaci\u00f3n insuficiente permite a Netskope Client conectarse a cualquier otro servidor con certificados TLS de CA firmados p\u00fablicamente y enviar respuestas manipuladas espec\u00edficamente para elevar privilegios.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"psirt@netskope.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"references\":[{\"url\":\"https://blog.amberwolf.com/blog/2025/august/breaking-into-your-network-zer0-effort/\",\"source\":\"psirt@netskope.com\"},{\"url\":\"https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2025-002\",\"source\":\"psirt@netskope.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-0309\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-15T12:26:51.060701Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295 Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-15T12:26:54.612Z\"}}], \"cna\": {\"title\": \"Netskope Client Local Elevation of Privileges\", \"source\": {\"advisory\": \"NSKPSA-2025-002\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Richard Warren\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"PHYSICAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:H/SI:H/SA:H\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Netskope\", \"product\": \"Netskope Client\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"129.0.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update the Netskope Client to version 129.0.0 or newer\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Update the Netskope Client to version 129.0.0 or newer\", \"base64\": false}]}], \"references\": [{\"url\": \"https://blog.amberwolf.com/blog/2025/august/breaking-into-your-network-zer0-effort/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2025-002\", \"tags\": [\"vendor-advisory\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"There are multiple configurations which can mitigate and reduce potential exposure: \\n  *  Block connection/access to any new domain or URLs to NS Client apart from goskope.com\\n  *  Use EDR tools to monitor connections from NS Client to any random domains and block it\\n\\n\\n  *  \\n\\nMonitor for addition of any self signed certificates in operating system certificate store\\n\\n\\n\\n  *  Monitor the status of NS Client\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"There are multiple configurations which can mitigate and reduce potential exposure: \u003cbr\u003e\u003cul\u003e\u003cli\u003eBlock connection/access to any new domain or URLs to NS Client apart from goskope.com\u003c/li\u003e\u003cul\u003e\u003cli\u003eUse EDR tools to monitor connections from NS Client to any random domains and block it\u003c/li\u003e\u003c/ul\u003e\u003cli\u003e\\n\\nMonitor for addition of any self signed certificates in operating system certificate store\\n\\n\u003cbr\u003e\u003c/li\u003e\u003cli\u003eMonitor the status of NS Client\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An insufficient validation on the server connection endpoint in Netskope Client allows local users to elevate privileges on the system. The insufficient validation allows Netskope Client to connect to any other server with Public Signed CA TLS certificates and send specially crafted responses to elevate privileges.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An insufficient validation on the server connection endpoint in Netskope Client allows local users to elevate privileges on the system. The insufficient validation allows Netskope Client to connect to any other server with Public Signed CA TLS certificates and send specially crafted responses to elevate privileges.\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"bf992f6a-e49d-4e94-9479-c4cff32c62bc\", \"shortName\": \"Netskope\", \"dateUpdated\": \"2025-08-14T04:35:15.287Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-0309\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-15T12:58:27.857Z\", \"dateReserved\": \"2025-01-07T14:23:56.898Z\", \"assignerOrgId\": \"bf992f6a-e49d-4e94-9479-c4cff32c62bc\", \"datePublished\": \"2025-08-14T04:35:15.287Z\", \"assignerShortName\": \"Netskope\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.