Breaking into thousands of cloud-based VPNs with one bug

Name: Breaking into thousands of cloud-based VPNs with one bug
Description: Zero Trust Network Access (ZTNA) products — marketed as the successor to legacy VPNs — are increasingly deployed across enterprise environments following high-profile Ivanti, Pulse Secure, and Fortine

David Cash, Rich Warren

DEF CON 33 · Day 2 · Main Stage

Zero Trust Network Access (ZTNA) products — marketed as the successor to legacy VPNs — are increasingly deployed across enterprise environments following high-profile Ivanti, Pulse Secure, and Fortine

AI review

Cash and Warren systematically dismantle five major ZTNA products — including a Zscaler SAML signature bypass (CVE-2025-54982) affecting every SAML-enabled tenant on earth — and demonstrate that 'zero trust' is currently a marketing term.

Watch on YouTube