Netskope Client Exposed IOCTL with Insufficient Access Controls

Vulnerability

Netskope Client for Windows versions below R138 expose an IOCTL interface with insufficient access controls. A malicious insider with administrative privileges on the system can send crafted IOCTL requests to the driver, enabling tampering with the customer IOCTL. This issue is tracked as CVE-2025-15641 and affects all versions prior to R138 [1].

Exploitation

An attacker must have local administrative privileges on the Windows host running the affected Netskope Client. With this access, the attacker sends specially crafted IOCTL requests to the driver. No additional authentication or user interaction is required beyond the initial administrative access. Netskope is not aware of any active exploitation in the wild [1].

Impact

A successful exploit allows the attacker to bypass all anti-tampering protections for the NSClient. This compromises the integrity of the client software, potentially allowing the attacker to disable or modify security controls enforced by the client. The confidentiality and availability of the client are indirectly affected as the attacker can tamper with its operation [1].

Mitigation

Netskope released a security patch in version R138 and above. All affected systems should be updated to R138 or later. No workarounds are available. The advisory, NSKPSA-2025-007, provides download instructions via Netskope Support [1].