Should you trust your zero trust? Bypassing Zscaler posture checks

Zscaler is widely used to enforce zero trust principles by verifying device posture before granting access to internal resources. These checks are meant to provide an additional layer of security beyond credentials and MFA. In this blogpost, we present a vulnerability that allowed us to bypass Zscaler’s posture verification mechanism. Although the issue has been patched for quite some time now, we observed it still being exploitable in several environments during recent engagements. This post details the configuration of the Zscaler client, the weaknesses in its posture check implementation, and how we leveraged them to access internal networks without satisfying the required security conditions.