Zero Trust, Total Bust - Breaking into thousands of cloud-based VPNs with one bug

Presented at DEF CON 33 (2025), Aug. 9, 2025, 3:30 p.m. (45 minutes).

Many organisations are moving to Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) solutions in response to the real and well-documented risks associated with traditional VPNs. These cloud-era alternatives promise improved security through finer-grained access controls and better posture enforcement. But are these 'next-gen' cloud VPNs truly secure? In this 45-minute session, we present new research revealing that many leading ZTNA platforms - including offerings from ZScaler, Netskope and Check Point - inherit legacy VPN weaknesses while introducing fresh cloud-based attack surfaces. We demonstrate the process of external recon, bypassing authentication and device posture checks (including hardware ID spoofing) and abuse insecure inter-process communication (IPC) between ZTNA client components to achieve local privilege escalation. We show it is possible to circumvent traffic steering to reach blocked content, exploit flaws in authentication flows to undermine device trust, and even run malicious ZTNA servers that execute code on connecting clients. Throughout the presentation, we highlight previously undisclosed vulnerabilities identified during our research. Zero trust does not mean zero risk. References: - Building on our previous work on SSL VPNs [link](https://blog.amberwolf.com/blog/2024/november/introducing-nachovpn---one-vpn-server-to-pwn-them-all/) - Previous work by Sander di Wit (@sander_dewit on X).

Presenters:

• David "johnnyspandex" Cash - Red Team Operator at AmberWolf
  Red Team Operator at AmberWolf (formerly with NCC Group). Co-presenter of 'Very Pwnable Networks: Exploiting the Top Corporate VPN Clients for Remote Root and SYSTEM Shells' at SANS HackFest Hollywood 2024. David has led red team operations uncovering critical flaws in enterprise remote access tools and has a passion for reverse engineering security products.
• Rich "Buffaloverflow" Warren - Red Team Operator at AmberWolf
  Red Team Operator at AmberWolf and Microsoft Top 100 Security Researcher (formerly with NCC Group). Co-presenter of 'Very Pwnable Networks: Exploiting the Top Corporate VPN Clients…' at HackFest Hollywood 2024. Richard has a track record of discovering novel vulnerabilities in VPN and zero-trust clients and has contributed to multiple high-profile vulnerability disclosures and tools in the offensive security community.

Similar Presentations:

• Black Hat USA 2018 / ZEROing Trust: Do Zero Trust Approaches Deliver Real Security?
• Diana Initiative 2020 Virtual / Trust, No Trust or Zero Trust - Myth Demystifying
• BSidesLV 2019 / Zero Trust