Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-15584

CVE-2025-15584: Netskope Endpoint DLP DoS Vulnerability

CVE-2025-15584 is a denial-of-service flaw in Netskope Endpoint DLP for Windows that allows unprivileged users to trigger a BSOD through integer overflow. This article covers technical details, affected systems, and mitigation.

Updated:

CVE-2025-15584 Overview

CVE-2025-15584 affects the Endpoint Data Loss Prevention (DLP) module of the Netskope Client on Windows. An unprivileged local user can trigger an integer overflow [CWE-190] within the driver's filter communication port. The resulting kernel-level fault produces a Blue Screen of Death (BSOD) and a denial-of-service condition on the affected host. Exploitation requires the Endpoint DLP module to be enabled in the active client configuration. Netskope disclosed the issue in advisory NSKPSA-2025-006.

Critical Impact

A local low-privilege user can crash Windows endpoints running the Netskope Client with Endpoint DLP enabled, causing a system-wide denial of service.

Affected Products

  • Netskope Client for Windows with the Endpoint DLP Module enabled
  • Netskope Endpoint DLP Driver (filter communication port component)
  • Windows endpoints managed by Netskope with DLP policy enforcement

Discovery Timeline

  • 2026-03-17 - CVE-2025-15584 published to the National Vulnerability Database
  • 2026-03-18 - Last updated in the NVD database

Technical Details for CVE-2025-15584

Vulnerability Analysis

The flaw resides in the Netskope Endpoint DLP kernel-mode driver, specifically in how the driver processes input received through its filter communication port. Windows minifilter drivers expose communication ports via FltCreateCommunicationPort to allow user-mode components to exchange messages with kernel components. The DLP driver does not adequately validate size or length fields supplied by user-mode callers before performing arithmetic operations on those values.

When a crafted message reaches the port, an arithmetic operation wraps past the maximum integer boundary. The wrapped value is then used in a subsequent memory or buffer operation, leading to a kernel fault and a bug check. The result is an immediate Blue Screen of Death on the local machine. The vulnerability is local in nature and does not enable code execution, privilege escalation, or data exposure.

Root Cause

The root cause is an integer overflow [CWE-190] in the DLP driver's filter communication port message-handling path. User-supplied numeric fields participate in size calculations without sufficient bounds checking. When the calculated value wraps, downstream kernel operations dereference invalid memory or process malformed buffers, triggering a system crash.

Attack Vector

Exploitation requires local access with low privileges on a Windows endpoint running the Netskope Client with Endpoint DLP enabled. A user-mode process opens a handle to the driver's communication port and sends a crafted message containing values designed to overflow internal size calculations. No user interaction beyond running the attacker-controlled process is required. The impact is limited to availability of the local host. No verified public proof-of-concept is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-15584

Indicators of Compromise

  • Unexpected Windows bug checks (BSOD) on endpoints running the Netskope Client, particularly stop codes referencing the Netskope DLP driver in the crash stack
  • Memory dump files (MEMORY.DMP, Minidump\*.dmp) implicating the Netskope minifilter driver
  • System Event Log entries with Event ID 1001 (BugCheck) correlating with sessions of non-administrative users

Detection Strategies

  • Correlate Windows kernel crash telemetry with the presence of the Netskope DLP driver in the faulting module field
  • Hunt for unprivileged processes opening handles to the Netskope DLP filter communication port followed by an immediate system shutdown event
  • Flag repeated BSOD events across multiple endpoints running the same Netskope Client build as a potential coordinated exploitation pattern

Monitoring Recommendations

  • Forward Windows kernel bug check events and WER (Windows Error Reporting) crash reports to a centralized log platform for correlation
  • Track Netskope Client version, DLP module status, and crash frequency per host to identify outliers
  • Alert on user-mode processes from non-administrative accounts that interact with kernel minifilter communication ports prior to a crash

How to Mitigate CVE-2025-15584

Immediate Actions Required

  • Review Netskope advisory NSKPSA-2025-006 and identify all Windows endpoints running the Netskope Client with the Endpoint DLP module enabled
  • Deploy the fixed Netskope Client build to affected hosts through the Netskope tenant configuration
  • Prioritize endpoints used by users with the ability to run arbitrary local binaries, such as developer and analyst workstations

Patch Information

Netskope has issued guidance and a fixed client version through advisory NSKPSA-2025-006. Refer to the Netskope Security Advisory NSKPSA-2025-006 for the specific fixed Netskope Client release and rollout instructions for the Endpoint DLP driver.

Workarounds

  • Where business risk allows, temporarily disable the Endpoint DLP module in the Netskope client configuration until patched clients are deployed
  • Restrict local logon rights on sensitive Windows endpoints to limit which users can execute code that interacts with the DLP driver port
  • Enable automatic restart and crash dump collection so that any exploitation attempt produces forensic data and minimizes downtime

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne