At DEF CON 33 (Las Vegas, August 7-10, 2025), AmberWolf researchers disclosed critical vulnerabilities in major ZTNA (Zero Trust Network Access) products such as Zscaler, Netskope, and Check Point’s Perimeter 81. Highlights of the issues:
- Zscaler: A SAML authentication bypass (CVE-2025-54982) where SAML assertions were not properly signature-validated.
Layman’s analogy: Like accepting a signed contract without checking if the signature is real. - Netskope: An authentication bypass in IdP enrollment (CVE-2024-7401), cross-tenant user impersonation via a non-revocable OrgKey, and privilege escalation through a rogue server. Many organizations remained exposed 16 months after disclosure.
Layman’s analogy: Like giving someone a master key to an apartment building, never being able to take it back, and leaving the back door propped open for over a year. - Check Point Perimeter 81: Hard-coded SFTP credentials that exposed multi-tenant logs, including JWT material that could be reused for authentication.
Layman’s analogy: Like hiding the spare key under the doormat of an office building, along with a list of employee badges, so anyone who finds it can walk in and pretend to be any employee.
These flaws stem not from cryptographic weaknesses but from poor secret management, shared credentials, and exposed diagnostic services. They enable impersonation and full-service access through misuse of JWTs, but not by breaking crypto.
The root cause was inadequate zero-trust implementation. These systems placed excessive reliance on external IdPs, using them in ways they were not designed for or making them the sole gatekeeper of trust. In many cases, authentication was added after connectivity was established, contradicting the zero-trust principle of “authenticate before connect.” This approach leaves gaps in emerging use cases such as multi-cloud, edge, IoT, and OT, where continuous, pre-connection trust enforcement is critical.
Built-In Zero Trust vs. Bolt-On Identity
Many ZTNA solutions treat zero trust as a feature added onto an existing network, leaning heavily on external identity providers for access decisions. This “bolt-on” approach often:
- Makes trust decisions after a connection is established, not before.
- Relies on shared static keys or tokens between tenants.
- Exposes public service endpoints that can be scanned and attacked.
In contrast, a zero trust overlay built around strong, intrinsic identity enforces security from the first packet, and goes beyond user or device authentication to secure every service and every hop in the connection. Platforms such as NetFoundry embed zero trust principles directly into the network fabric:
- Per-service X.509 certificates: each service has its own cryptographic identity, ensuring that compromise of one service does not affect others
- Different keys for every mTLS hop: traffic is re-encrypted at each overlay connection, eliminating replay attacks and limiting exposure even if one hop is compromised
- End-to-end encryption at the service layer (E2EE): data remains encrypted from source to destination, with no point in the overlay able to decrypt it unless explicitly authorized
- No shared static keys: every identity is unique, preventing tenant-to-tenant pivoting
- No public service endpoints: services are invisible to the internet, removing entire categories of attack surface
- Integrated policies and segmentation: enforced inside the overlay without relying on external redirects or loosely coupled IdP logic
NetFoundry also supports integrating standards-based identity providers through OIDC (OpenID Connect) and SCIM (System for Cross-domain Identity Management) for automated user and group provisioning. These standards can be used as a replacement primary authentication method or as additional secondary authentication, much like BYOPKI.
This flexibility lets organisations leverage existing SSO workflows and automate identity lifecycle management without weakening the overlay’s core security model. Even when OIDC and SCIM are in play, NetFoundry continues to enforce per-service X.509 certificates, unique mTLS keys per hop, and end-to-end service encryption. The overlay remains “closed-by-default,” with identity-before-connect enforced independently of the IdP’s availability or trust chain.
Beyond Remote Access: Consistent Zero Trust Everywhere
Because NetFoundry’s overlay enforces identity using X.509/PKI at the fabric level, it can be applied to any connectivity use case, and not just remote user access. Whether securing multi-cloud workloads, edge applications, IoT deployments, or operational technology (OT) environments, the same user-, device-, and service-aware policies are applied to all traffic.
This contrasts sharply with tunnel-level ZTNA, which typically limits identity enforcement to remote access scenarios or applies it inconsistently outside the client-initiated path. The difference becomes especially critical in non-human-initiated (NHI) cases, such as machine-to-machine communications in OT or cloud-native multi-cloud. This is where traditional ZTNA often fails to authenticate and authorise every connection consistently.
With NetFoundry, every connection, in every direction, is authenticated and authorised before it exists, whether initiated by a person, a workload, or a machine.
Why It Matters to Security Leaders
- For CISOs and CIOs: Built-in zero trust with per-service cryptographic identity, hop-by-hop mTLS, and end-to-end service encryption reduces breach risk from stolen tokens, static keys, or compromised IdPs.
- For Network Architects and Security Engineers: Identity-based segmentation is enforced by the overlay, independent of your IdP, while still integrating cleanly with OIDC and SCIM for authentication and provisioning.
- For Compliance and Governance Teams: Support for open standards (OIDC, SCIM, PKI) and closed-by-default design makes it easier to meet NIST Zero Trust Architecture and CISA Zero Trust Maturity Model requirements, while maintaining operational agility.
- For OT and IoT Security Teams: Consistent identity enforcement across remote access, multi-cloud, edge, and machine-to-machine traffic, including non-human-initiated connections in OT, ensures the same zero trust policies apply everywhere, not just in client-initiated scenarios.
Key Takeaways
- Bolt-on zero trust can be bypassed: built-in identity, per-service certificates, and enforced policy cannot.
- Static, shared keys create multi-tenant blast radii: unique keys for each service and every mTLS hop eliminate this risk.
- Public endpoints invite attacks: closed-by-default overlays and hidden services remove the target entirely.
- External IdPs can fail or be compromised: optional OIDC and SCIM integration adds convenience without creating dependency.
- Zero trust is an architecture, not a checkbox: it must be enforced before connection, with no exceptions, and secured end-to-end at the service layer.
The bottom line: The DEF CON 33 disclosures highlight the risks of retrofitting zero trust into architectures that were not designed for it. Established vendors often extend existing products to address emerging requirements, which can lead to a bolt-on effect that preserves legacy design choices. In contrast, newer and more focused providers have the advantage of building from the ground up, embedding per-service cryptographic identity, hop-by-hop mTLS, and end-to-end service encryption directly into the network fabric. With NetFoundry, IdP integration is optional rather than mandatory, and OIDC and SCIM support can be added without weakening the closed-by-default, authenticate-before-connect architecture. Because identity is enforced at the fabric level, zero trust policies are applied consistently across all use cases, including remote access, multi-cloud, edge, IoT, and machine-to-machine traffic in OT environments. As demands evolve, incumbents may need to re-engineer their platforms, while solutions built on a zero trust foundation from the start are already aligned with those future needs.
Ready to see built-in zero trust in action?
Experience how NetFoundry enforces identity-before-connect, across every connection and every use case, without the weaknesses of bolt-on ZTNA. Start your free trial or book a live demo with our team today.
About NetFoundry
Thousands of businesses, including 2 of the largest 5 in the world, use NetFoundry to securely connect any workflow, via NetFoundry NaaS, on-premises and partner models, replacing anything from VPNs to SD-WANs. NetFoundry’s overlays are the first to be driven by built-in, cryptographically authenticated identities for humans and non-humans (NHI for devices, AIs, OT). Providers use NetFoundry to embed zero trust in their products in an OEM model. NetFoundry is the inventor and maintainer of the world’s most used open source zero trust platform, OpenZiti. Start a free trial, book a live demo or learn more.
