CVE-2025-54983
📋 TL;DR
A health check port in Zscaler Client Connector (ZCC) on Windows fails to properly close after use under specific circumstances, potentially allowing traffic to bypass ZCC's forwarding controls. This affects Windows users running ZCC versions 4.6 (below 4.6.0.216) and 4.7 (below 4.7.0.47).
💻 Affected Systems
- Zscaler Client Connector
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass ZCC's security controls entirely, allowing malicious traffic to reach protected endpoints without inspection or filtering.
Likely Case
Limited traffic bypass of ZCC controls in specific scenarios where the health check port remains open, potentially exposing some network traffic to unmonitored paths.
If Mitigated
With proper network segmentation and additional security controls, the impact is limited to potential minor policy bypass on affected endpoints.
🎯 Exploit Status
Exploitation requires specific conditions to trigger the port retention issue and local access to the affected Windows endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.0.216 or 4.7.0.47 and later
Vendor Advisory: https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2025
Restart Required: Yes
Instructions:
1. Download the latest ZCC version from Zscaler portal. 2. Uninstall current ZCC version. 3. Install the patched version (4.6.0.216+ or 4.7.0.47+). 4. Restart the Windows system.
🔧 Temporary Workarounds
Restart ZCC Service
windowsRestarting the ZCC service may temporarily release the stuck health check port
Restart-Service -Name ZscalerService
Network Segmentation
allImplement additional network controls to limit traffic even if ZCC bypass occurs
🧯 If You Can't Patch
- Implement additional endpoint security controls to detect and block unauthorized traffic bypass attempts
- Increase monitoring of network traffic patterns for anomalies indicating ZCC bypass
🔍 How to Verify
Check if Vulnerable:
Check ZCC version in Windows Settings > Apps > Zscaler Client Connector or via command: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Zscaler*'} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Zscaler*'} | Select-Object VersionVerify Fix Applied:
Verify installed version is 4.6.0.216 or higher (for 4.6 branch) or 4.7.0.47 or higher (for 4.7 branch)📡 Detection & Monitoring
Log Indicators:
- Unusual port activity on health check ports
- ZCC service errors related to port management
Network Indicators:
- Traffic patterns bypassing expected ZCC inspection points
- Unexpected connections from endpoints that should be ZCC-protected
SIEM Query:
source="zscaler_logs" AND (event_type="port_error" OR event_type="health_check_failure")