CloudFlare Warp

Cloudflare WARP Windows: Symlink Deletion via Privilege mgmt (<=2024.12.492.0)
CVE-2025-0651 7.1 - High - January 22, 2025

Improper Privilege Management vulnerability in Cloudflare WARP on Windows allows File Manipulation. User with a low system privileges  can create a set of symlinks inside the C:\ProgramData\Cloudflare\warp-diag-partials folder. After triggering the 'Reset all settings" option the WARP service will delete the files that the symlink was pointing to. Given the WARP service operates with System privileges this might lead to deleting files owned by the System user. This issue affects WARP: before 2024.12.492.0.

Cloudflare WARP Override Code Exploit: Local User Can Extend VPN Disconnect Time
CVE-2023-3747 5.5 - Medium - September 07, 2023

Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access to the device, could extend the maximum allowed disconnected time of WARP client granted by an override code by changing the date & time on the local device where WARP is running.

Reliance on Cookies without Validation and Integrity Checking

Tapjacking VULN in WARP Mobile Client <6.29 for Android
CVE-2023-0654 3.7 - Low - August 29, 2023

Due to a misconfiguration, the WARP Mobile Client (< 6.29) for Android was susceptible to a tapjacking attack. In the event that an attacker built a malicious application and managed to install it on a victim's device, the attacker would be able to trick the user into believing that the app shown on the screen was the WARP client when in reality it was the attacker's app.

Clickjacking

Cloudflare WARP Mobile Client <=6.29 Android Task Manipulation
CVE-2023-0238 5.5 - Medium - August 29, 2023

Due to lack of a security policy, the WARP Mobile Client (<=6.29) for Android was susceptible to this vulnerability which allowed a malicious app installed on a victim's device to exploit a peculiarity in an Android function, wherein under certain conditions, the malicious app could dictate the task behaviour of the WARP app.

Cloudflare WARP Windows Client leaks ULA IPs exposing local DNS queries
CVE-2023-2754 6.8 - Medium - August 03, 2023

The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses but Unique Local Addresses, which under certain conditions could point towards unknown devices in the same local network which enables an Attacker to view DNS queries made by the device.

Cleartext Transmission of Sensitive Information

Cloudflare WARP Windows IPC NamedPipe RCE v2023.3.381.0
CVE-2023-1862 7.3 - High - June 20, 2023

Cloudflare WARP client for Windows (up to v2023.3.381.0) allowed a malicious actor to remotely access the warp-svc.exe binary due to an insufficient access control policy on an IPC Named Pipe. This would have enabled an attacker to trigger WARP connect and disconnect commands, as well as obtaining network diagnostics and application configuration from the target's device. It is important to note that in order to exploit this, a set of requirements would need to be met, such as the target's device must've been reachable on port 445, allowed authentication with NULL sessions or otherwise having knowledge of the target's credentials.

Hardlink Privilege Escalation in Cloudflare WARP Client <= 2022.12.582.0
CVE-2023-0652 7.8 - High - April 06, 2023

Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files. As Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.

insecure temporary file

CVE-20231412: Cloudflare WARP Client MSI PrivEsc via Oplocks (2022.12.582.0)
CVE-2023-1412 7.8 - High - April 05, 2023

An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for Windows (<= 2022.12.582.0) to perform privileged operations with SYSTEM context by working with a combination of opportunistic locks (oplock) and symbolic links (which can both be created by an unprivileged user). After installing the Cloudflare WARP Client (admin privileges required), an MSI-Installer is placed under C:\Windows\Installer. The vulnerability lies in the repair function of this MSI. ImpactAn unprivileged (non-admin) user can exploit this vulnerability to perform privileged operations with SYSTEM context, including deleting arbitrary files and reading arbitrary file content. This can lead to a variety of attacks, including the manipulation of system files and privilege escalation. PatchesA new installer with a fix that addresses this vulnerability was released in version 2023.3.381.0. While the WARP Client itself is not vulnerable (only the installer), users are encouraged to upgrade to the latest version and delete any older installers present in their systems.

insecure temporary file

WARP Android Manifest Misconfig Enabling Task Hijacking
CVE-2022-4457 5.5 - Medium - January 11, 2023

Due to a misconfiguration in the manifest file of the WARP client for Android, it was possible to a perform a task hijacking attack. An attacker could create a malicious mobile application which could hijack legitimate app and steal potentially sensitive information when installed on the victim's device.

Privilege Escalation via Unvalidated support_uri in Cloudflare WARP (mdm.xml)
CVE-2022-4428 8 - High - January 11, 2023

support_uri parameter in the WARP client local settings file (mdm.xml) lacked proper validation which allowed for privilege escalation and launching an arbitrary executable on the local machine upon clicking on the "Send feedback" option. An attacker with access to the local file system could use a crafted XML config file pointing to a malicious file or set a local path to the executable using Cloudflare Zero Trust Dashboard (for Zero Trust enrolled clients).

Improper Input Validation

Cloudflare WARP iOS Lock Switch Bypass
CVE-2022-3322 7.5 - High - October 28, 2022

Lock Warp switch is a feature of Zero Trust platform which, when enabled, prevents users of enrolled devices from disabling WARP client. Due to insufficient policy verification by WARP iOS client, this feature could be bypassed by using the "Disable WARP" quick action.

Improper Verification of Cryptographic Signature

Cloudflare WARP iOS: Delete VPN Profile Bypass Lock WARP Switch
CVE-2022-3337 8.5 - High - October 28, 2022

It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch feature being enabled on Zero Trust Platform. This led to bypassing policies and restrictions enforced for enrolled devices by the Zero Trust platform.

Authentication Bypass by Spoofing

CVE-2022-3512: WARP-CLI add-trusted-ssid Bypass of Lock Feature
CVE-2022-3512 8.8 - High - October 28, 2022

Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint.

CVE-2022-3320: Cloudflare WARP Zero Trust Policy Bypass via set-custom-endpoint
CVE-2022-3320 9.8 - Critical - October 28, 2022

It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint' subcommand. Using this command with an unreachable endpoint caused the WARP Client to disconnect and allowed bypassing administrative restrictions on a Zero Trust enrolled endpoint.

AuthZ

Priv Escal via warp-cli Disable Cmds in Cisco Secure WARP
CVE-2022-2225 7.8 - High - July 26, 2022

By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Secure Web Gateway policies) and features such as 'Lock WARP switch'.

Cloudflare WARP client for Windows (up to v
CVE-2022-2145 7.8 - High - June 28, 2022

Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.

insecure temporary file

Cloudflare Warp for Windows
CVE-2022-2147 7.8 - High - June 23, 2022

Cloudflare Warp for Windows from version 2022.2.95.0 contained an unquoted service path which enables arbitrary code execution leading to privilege escalation. The fix was released in version 2022.3.186.0.

Unquoted Search Path or Element