SIA: On-premises Windows connections to IP-based targets using ZSP
Secure Infrastructure Access (SIA) now allows users to establish RDP connections to on-prem Windows targets by IP address while maintaining Zero Standing Privileges. This is particularly useful for environments where DNS infrastructure or FQDNs aren’t available, removing a common deployment blocker for extending ZSP coverage across legacy or segmented networks.
ZSP for Entra groups is now available
ZSP for Entra Groups allows for dynamic and temporary assignment of users to Entra groups within your Microsoft Entra ID directories. This means users can be granted access to specific M365 services or applications only when they need it, and for a limited time, without the need to manage the different roles in the ZSP policy.
“Secure Cloud Access and it’s new Zero Standing Privilege (ZSP) feature for Entra Groups allows for dynamic and temporary assignment of users to Entra groups within Microsoft Entra ID directories. This means users can be granted access to specific M365 services or applications only when they need it, and for a limited time, without the need to manage the different roles in the ZSP policy.”
CyberArk: CA25-35 – Possible race condition that may lead to denial of service (DoS) by unauthenticated users.
Issued: October 29, 2025
Updated: N/A
Version: 1.0
Severity: High
CVSS Score: 8.7
Third-party publication / CVE: N/A
Impact: Possible race condition that may lead to denial of service (DoS) by unauthenticated users.
Affected Products And Versions: Privileged Session Manager for SSH (PSMP), Self-Hosted – All versions prior to version 14.6.1 – All product subsets are affected
Resolution:
Upgrade to a patch version from the table below by downloading the patch from the respective link and following the instructions in our online documentation.
If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility docs.
PSM for SSH 14.6 (LTS) and its patches prior to 14.6.1 – Patch to version 14.6.1 – Download patch – Documentation
PSM for SSH 14.2 (LTS) and its patches prior to 14.2.3 – Patch to version 14.2.3 – Download patch – Documentation
Temporary Mitigation:
There is no temporary mitigation available for this security bulletin.
CyberArk: CA25-34 – Possible Denial of Service (DoS) attack on HTML5 Gateway server
Issued: October 29, 2025
Updated: N/A
Version: 1.0
Severity: High
CVSS Score: 8.1
Third-party publication / CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-50106 (https://nvd.nist.gov/vuln/detail/CVE-2025-50106)
https://nvd.nist.gov/vuln/detail/cve-2024-30172 (https://nvd.nist.gov/vuln/detail/cve-2024-30172)
Impact: Possible Denial of Service (DoS) attack on HTML5 Gateway server
Affected Products And Versions:
HTML5 Gateway Container and RPM, Self-Hosted – All versions prior to version 14.6 (incl.) – All product subsets are affected
Resolution:
Upgrade to a patch version from the table below by downloading the patch from the respective link and following the instructions in our online documentation.
If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility docs.
Version 14.6 – Patch to version 14.6.1 – Download patch – Documentation
Version 14.2 – Patch to version 14.2.2 – Download patch – Documentation
Version 14.0 – Patch to version 14.0.2 – Download patch – Documentation
Temporary Mitigation:
There is no temporary mitigation available for this security bulletin.
