Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-54982

Summary
Assigner-Zscaler
Assigner Org ID-73c6f63b-efac-410d-a0a9-569700f85a04
Published At-05 Aug, 2025 | 05:36
Updated At-19 Aug, 2025 | 03:55
Rejected At-
Credits

SAML 2.0 Public Key Validation Issue

An improper verification of cryptographic signature in Zscaler's SAML authentication mechanism on the server-side allowed an authentication abuse.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Zscaler
Assigner Org ID:73c6f63b-efac-410d-a0a9-569700f85a04
Published At:05 Aug, 2025 | 05:36
Updated At:19 Aug, 2025 | 03:55
Rejected At:
▼CVE Numbering Authority (CNA)
SAML 2.0 Public Key Validation Issue

An improper verification of cryptographic signature in Zscaler's SAML authentication mechanism on the server-side allowed an authentication abuse.

Affected Products
Vendor
Zscaler, Inc.Zscaler
Product
Authentication Server
Default Status
unaffected
Versions
Affected
  • From 0 before 6.2r (custom)
Problem Types
TypeCWE IDDescription
CWECWE-347CWE-347 Improper Verification of Cryptographic Signature
Type: CWE
CWE ID: CWE-347
Description: CWE-347 Improper Verification of Cryptographic Signature
Metrics
VersionBase scoreBase severityVector
3.19.6CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Version: 3.1
Base score: 9.6
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-114CAPEC-114 Authentication Abuse
CAPEC ID: CAPEC-114
Description: CAPEC-114 Authentication Abuse
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Richard Warren, AmberWolf
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://help.zscaler.com/zia/about-identity-providers
N/A
Hyperlink: https://help.zscaler.com/zia/about-identity-providers
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@zscaler.com
Published At:05 Aug, 2025 | 06:15
Updated At:05 Aug, 2025 | 14:34

An improper verification of cryptographic signature in Zscaler's SAML authentication mechanism on the server-side allowed an authentication abuse.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.6CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 9.6
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-347Secondarycve@zscaler.com
CWE ID: CWE-347
Type: Secondary
Source: cve@zscaler.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://help.zscaler.com/zia/about-identity-providerscve@zscaler.com
N/A
Hyperlink: https://help.zscaler.com/zia/about-identity-providers
Source: cve@zscaler.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

7Records found
CVE-2023-28801
Matching Score-10
Assigner-Zscaler, Inc.
ShareView Details
Matching Score-10
Assigner-Zscaler, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.04% / 11.33%
||
7 Day CHG-0.00%
Published-31 Aug, 2023 | 13:53
Updated-01 Oct, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper SAML signature verification

An Improper Verification of Cryptographic Signature in the SAML authentication of the Zscaler Admin UI allows a Privilege Escalation.This issue affects Admin UI: from 6.2 before 6.2r.

Action-Not Available
Vendor-Zscaler, Inc.
Product-zscaler_internet_access_admin_portalZIA Admin Portal
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2024-23480
Matching Score-6
Assigner-Zscaler, Inc.
ShareView Details
Matching Score-6
Assigner-Zscaler, Inc.
CVSS Score-7.5||HIGH
EPSS-0.02% / 4.27%
||
7 Day CHG~0.00%
Published-01 May, 2024 | 16:27
Updated-01 Aug, 2024 | 23:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure MacOS code sign check fallback

A fallback mechanism in code sign checking on macOS may allow arbitrary code execution. This issue affects Zscaler Client Connector on MacOS prior to 4.2.

Action-Not Available
Vendor-Zscaler, Inc.
Product-Client Connectorclient_connector
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2024-23460
Matching Score-6
Assigner-Zscaler, Inc.
ShareView Details
Matching Score-6
Assigner-Zscaler, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.01% / 1.40%
||
7 Day CHG~0.00%
Published-06 Aug, 2024 | 15:29
Updated-07 Aug, 2024 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect signature validation of package

The Zscaler Updater process does not validate the digital signature of the installer before execution, allowing arbitrary code to be locally executed. This affects Zscaler Client Connector on MacOS <4.2.

Action-Not Available
Vendor-Zscaler, Inc.
Product-client_connectorClient Connectorclient_connector
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2024-23456
Matching Score-6
Assigner-Zscaler, Inc.
ShareView Details
Matching Score-6
Assigner-Zscaler, Inc.
CVSS Score-7.8||HIGH
EPSS-0.14% / 35.38%
||
7 Day CHG~0.00%
Published-06 Aug, 2024 | 15:21
Updated-07 Aug, 2024 | 21:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Signature validation issue leads to Anti-Tampering bypass

Anti-tampering can be disabled under certain conditions without signature validation. This affects Zscaler Client Connector <4.2.0.190 with anti-tampering enabled.

Action-Not Available
Vendor-Zscaler, Inc.
Product-client_connectorClient Connectorclient_connector
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2023-28796
Matching Score-6
Assigner-Zscaler, Inc.
ShareView Details
Matching Score-6
Assigner-Zscaler, Inc.
CVSS Score-7.1||HIGH
EPSS-0.01% / 1.16%
||
7 Day CHG~0.00%
Published-23 Oct, 2023 | 13:28
Updated-27 Feb, 2025 | 20:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IPC Bypass Through PLT Section in ELF

Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector on Linux allows Code Injection. This issue affects Zscaler Client Connector for Linux: before 1.3.1.6.

Action-Not Available
Vendor-Zscaler, Inc.
Product-client_connectorClient Connector
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2023-28806
Matching Score-6
Assigner-Zscaler, Inc.
ShareView Details
Matching Score-6
Assigner-Zscaler, Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.03% / 8.25%
||
7 Day CHG~0.00%
Published-06 Aug, 2024 | 15:41
Updated-07 Aug, 2024 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Signature validation error in DLL allows disabling anti-tampering protection

An Improper Validation of signature in Zscaler Client Connector on Windows allows an authenticated user to disable anti-tampering. This issue affects Client Connector on Windows <4.2.0.190.

Action-Not Available
Vendor-Zscaler, Inc.
Product-client_connectorClient Connectorclient_connector
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2023-28804
Matching Score-6
Assigner-Zscaler, Inc.
ShareView Details
Matching Score-6
Assigner-Zscaler, Inc.
CVSS Score-8.2||HIGH
EPSS-0.03% / 6.85%
||
7 Day CHG~0.00%
Published-23 Oct, 2023 | 13:33
Updated-17 Oct, 2024 | 15:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linux ZCC allows unsigned updates, allowing elevated Code Execution

An Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector on Linux allows replacing binaries.This issue affects Linux Client Connector: before 1.4.0.105

Action-Not Available
Vendor-Zscaler, Inc.
Product-client_connectorClient Connectorclient_connector
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
Details not found