Tamper-Protection Bypass × Zscaler Client Connector for Windows

A publicly-reported instance of Tamper-Protection Bypass bypassing Zscaler Client Connector for Windows, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Zscaler Client Connector for Windows

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

unknown

Disclosed

2024-08-06

Config / version noted

Yes

Provenance

www.sentinelone.com
disclosed 2024-08-06 · original source · via exa
securityvulnerability.io
disclosed 2024-08-06 · original source · via exa

Reported as

CVE-2024-23456 is an authentication bypass vulnerability in Zscaler Client Connector for Windows that allows anti-tampering protection to be disabled without proper signature validation.

Mechanism

Improper verification of cryptographic signatures in the anti-tampering mechanism allows an attacker to disable the protection without a valid signature. The network-based attack vector requires no authentication or user interaction, enabling remote exploitation to neutralize endpoint agent defenses.

Detection & mitigation

Monitor for unexpected termination or suspension of Zscaler Client Connector processes and services, especially when not initiated by authorized administrative actions. Ensure all endpoints are updated to Zscaler Client Connector version 4.2.0.190 or later to remediate the vulnerability.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.