Bypassing Cloudflare Zero Trust policies using warp-cli set-custom-endpoint command

Vulnerability

It was possible to bypass policies configured for Cloudflare Zero Trust Secure Web Gateway by using the warp-cli 'set-custom-endpoint' subcommand [1]. The WARP Client, when given an unreachable endpoint via this command, would disconnect, allowing bypass of administrative restrictions on a Zero Trust enrolled endpoint [1]. The affected component is the Cloudflare WARP Client for desktop platforms that support the warp-cli tool.

Exploitation

An attacker with local access to a Zero Trust enrolled endpoint can use the warp-cli set-custom-endpoint command with an unreachable endpoint address [1]. This causes the WARP client to disconnect from the Cloudflare edge, thereby removing the device from the secure gateway policies [1]. The attack requires no user interaction beyond the attacker's own actions and no special privileges beyond the ability to run warp-cli commands on the endpoint.

Impact

Successful exploitation leads to a bypass of all Zero Trust Secure Web Gateway policies for the affected device [1]. This can result in unauthorized network access, circumvention of content filtering, and potential data exfiltration as the device no longer adheres to the organization's security controls enforced by Cloudflare's gateway. The impact is primarily on integrity and confidentiality of the organization's network security posture.

Mitigation

Cloudflare released an update to the WARP Client that addresses this issue [1]. Users should update to the latest version of the WARP client as soon as possible [1]. The advisory does not list a specific fixed version number but recommends updating to the current release [1]. For Zero Trust administrators, ensure that endpoints are running the latest version and consider restricting local command-line access to warp-cli as a temporary workaround if patching is delayed.