Trust

Security Advisory: Linux Kernel Vulnerability (CVE-2026-31431) - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Fri, 01 May 2026 00:00:00 GMT

On April 29, 2026, Zscaler was made aware of CVE-2026-31431, a Local Privilege Escalation (LPE) vulnerability affecting Linux kernel versions 4.14 and later. Zscaler has addressed the vulnerability across all its clouds through patching or mitigation.

Zscaler Internet Access (ZIA) distributed products are not impacted. Zscaler suggests adhering to the instructions issued by the operating system vendors for any Linux systems and Zscaler products listed below:

Zscaler Private Access (ZPA): App Connector, Network Connector, Private Service Edge (PSE), Private Cloud Controller (PCC)
Zero Trust Branch (ZTB)

Vendor recommended remediations:

Cellular Portal Migration to Experience Center - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, zslogin.net

Thu, 30 Apr 2026 00:00:00 GMT

Zscaler Cellular Portal is Being disabled—Move to Experience Center by May 15, 2026

What is changing?

Effective May 15, 2026, Zscaler is disabling the Zscaler Cellular Portal at https://admin.ztsim.com. After this date, the Zscaler Cellular Portal will no longer be available for managing or monitoring Zscaler Cellular services.

To continue administering and gaining visibility into Zscaler Cellular services, customers must use Zscaler Experience Center at https://console.zscaler.com—Zscaler’s centralized administrative and insights platform.

Who is impacted?

All customers currently using the Zscaler Cellular Portal for configuration, operations, monitoring, or troubleshooting of Zscaler Cellular services.

Key information

Zscaler Cellular Portal disablement date: May 15, 2026.
Management and monitoring in one place: Use the Experience Center to configure, manage, and monitor Zscaler Cellular services.
Avoid operational disruption: Ensure your teams transition workflows and access before May 15, 2026, to prevent loss of administrative access and visibility.

Next steps

Start using Experience Center: Log in to https://console.zscaler.com and validate your access to the Zscaler Cellular experience needed for your role.
Transition operational workflows: Update runbooks, bookmarks, and internal documentation to point to Experience Center for Zscaler Cellular management and monitoring.
Engage your Zscaler Account team: Your Account Team or Technical Success Manager can help confirm readiness, access, and best practices for the move.

What if I have more questions?

Contact Zscaler Support using the Support link in the Zscaler help portals, or call:

+1 (408) 752-5885

+1 (844) 971-0010 (U.S.)

Update 4/30: Title Change

Operational Resilience Update: Managing Subsea Cable Risk in the Persian Gulf and Beyond - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Thu, 23 Apr 2026 00:00:00 GMT

Current geopolitical conditions have elevated the risk of potential disruptions to subsea cable infrastructure in the Persian Gulf region.
If such events occur, we would expect the primary impact to be localized within the Gulf, including countries such as Iran, Iraq, Qatar, Kuwait, and to a lesser extent the UAE and Saudi Arabia. The most likely effect would be reduced capacity or constrained routing options, which may result in localized performance degradation rather than widespread outages.
For traffic between India and Europe, the majority of primary connectivity paths traverse the Gulf of Aden and Red Sea corridor. As a result, activity in the Persian Gulf region alone is not expected to materially impact these routes.
Following earlier incidents in the Red Sea, we have implemented enhanced monitoring across key paths between India, Europe, and the United States. This allows us to rapidly detect anomalies and take action where possible.
Our architecture is designed with resilience in mind:

We maintain carrier diversity and can dynamically route traffic across multiple providers
We partner closely with leading hyperscalers to engineer traffic paths where feasible
Our engineering teams have pre-tested mitigation strategies to respond to large-scale network events

When disruptions occur, our teams actively work to minimize impact by leveraging available routing, partner, provider, and architectural options.
While the precise impact of any given event depends on its scope and severity, please be assured that we are actively monitoring the situation and are prepared to respond quickly to protect service continuity.

Migration Notice: VPN (for Legacy Apps) - Upgrading VPN Service Edge/Network Connector - private.zscaler.com, zpatwo.net, zpabeta.net

Wed, 22 Apr 2026 00:00:00 GMT

Upgrading VPN Service Edge/Network Connector from Previous Generation to Next Generation with BGP Support

As part of Zscaler’s ongoing efforts to standardize and modernize its public cloud infrastructure, customers currently using the previous generation VPN Service Edge and Network Connectors are required to migrate to the next generation VPN Service Edge with BGP support, along with Network Connectors that support BGP.

The next generation VPN Service Edge and Network Connectors offer enhanced scalability, improved resiliency, and dynamic routing capabilities through BGP.

What’s Changing:

All customers using the previous generation VPN Service Edge and Network Connectors must complete their migration to the next generation VPN Service Edge and Network Connectors with BGP support by July 31, 2026.

After this date, the previous generation VPN Service Edge and Network Connectors will no longer be supported.

Who is Impacted:

This applies only to customers currently using the previous generation VPN Service Edge and Network Connectors.

Customers already deployed on the next generation VPN Service Edge (BGP-enabled) and Network Connectors are not impacted.

How can you verify whether you are impacted by this? Learn More

Navigate to the VPN Service Edge configuration page
- Confirm that BGP Local Router ID is enabled
- Confirm that Redundant Mode is enabled
- If both settings are enabled, you are not impacted by this migration associated with the advisory
Navigate to the Network Connector configuration > Click on edit
- Confirm that BGP Local Router ID is enabled
Navigate to the Network Connector Group configuration
- Confirm that Redundant Mode is enabled by expanding the group.
If both settings are enabled, you are not impacted by this migration associated with the advisory

Migration Steps:

Here’s the public documentation outlining all the steps in the correct sequence: Replacing or Migrating Existing Network Connectors with Network Connectors that Support Redundancy

Regarding BGP, peering between the Network Connectors and VPN Service Edges is automatically established (Managed by Zscaler). Once firewall whitelisting is configured for UDP ports 51820–53000 on the perimeter firewall, BGP will automatically establish between the Network Connectors and the VPN Service Edges.

On the customer side (Layer 3 router, switch, or firewall device to Network Connectors), BGP is recommended but optional. If the customer chooses not to use BGP, they can continue using static routing by configuring routes that point to multiple Network Connectors as the next hop.

When using static routing, “Advertise LAN Segments Locally” in the Network Connector group must be enabled.
When using BGP between a Layer 3 router, switch, or firewall device and the Network Connectors, you must disable “Advertise LAN Segments Locally” in the Network Connector group.

Note: After the migration is successfully completed and all functionality is verified, the previous generation VPN Service Edge and Network Connector must be decommissioned to fully complete the transition.

Required Action:

Please plan and complete the migration during a scheduled maintenance window.

Important: Make sure that redundancy is enabled in the tenant - Contact Zscaler Support or your Zscaler Account team and make sure that the VPN (for Legacy Apps) redundancy flag is enabled.

Outcome:

After migration, traffic will be routed through the new BGP-enabled VPN Service Edge and Network Connectors, delivering:

Improved Resiliency
Dynamic routing
Improved scalability
Standardized cloud architecture

Zscaler Client Connector for VDI Deployment Issue - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, zslogin.net

Fri, 17 Apr 2026 00:00:00 GMT

Zscaler detected an issue where the existing access token that was generated before April 11 can not be used to deploy Zscaler Client Connector. As a workaround customers can create a new access token while the Zscaler team investigates and fixes the issue.

Affected Services: Zscaler Client Connector for VDI

Workaround:
- Generate a new access token from the Cloud and Branch Connector portal (Administration > VDI Templates) and use the new token for any new deployments
- For non-persistent VDI where no users backup/restore was implemented: Update the golden/master image with the new access token, this is critical since the agent re-enrolls on every boot.

Root Cause: Central Authority (CA) certificate update caused this issue.

UI Node will stop supporting Public API Traffic - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net

Thu, 16 Apr 2026 00:00:00 GMT

Zscaler is announcing the official retirement of UI nodes for servicing Public API traffic. Currently, some Public API traffic lands on UI nodes instead of the designated Zscaler API (ZSAPI) nodes.

To ensure optimal performance and alignment with our architectural standards, UI nodes will stop servicing Public API calls starting September 01, 2026. This follows the initial announcement of the ZSAPI framework transition made in April 2021 under the section Updates to Cloud Service API.

Customer Impact

Any automation scripts, programs, or third-party integrations currently sending Public API traffic to UI nodes (`admin.<Zscaler Cloud Name>`) will no longer be supported after September 01, 2026.

Customers who have already transitioned to ZSAPI or OneAPI frameworks are not impacted.

Customer Guidance & Action Required

To avoid service disruption, all necessary changes must be completed by August 31, 2026. Customers have two options to mitigate this risk:

Option 1: Transition to OneAPI Framework (Recommended)

Zscaler recommends transitioning to the OneAPI framework, our new and unified automation framework for all Zscaler products.

Endpoint: `https://api.zsapi.net`
Getting Started: Refer to the Zscaler OneAPI documentation for migration guides and developer resources.

Option 2: Transition to ZSAPI Nodes (Legacy Framework)

Update your existing automation scripts or code to point to ZSAPI nodes instead of UI nodes.

Identify: Locate instances using `https://admin.<Zscaler Cloud Name>` for API calls.
Replace: Update the endpoint to `https://zsapi.<Zscaler Cloud Name>`.

Zscaler Partner Integrations Impact

If you are using any Zscaler Partner Integrations, refer to the official guides on how to update the endpoint API using Option 2 above.

Timeline

Initial Announcement: April 2021
Deadline for Customer Action: August 31, 2026
Retirement Date (End of Service): September 01, 2026

What if I have more questions?

If you have additional questions, contact your Technical Success Manager or Zscaler Support via the Support link in the Zscaler Internet Access or ZIdentity Admin Portal, or call us at +1 (408) 752-5885. Within the U.S., you can use +1 (844) 971-0010

Update 4/27: Verbiage update

Performance Degradation Impacting Case Creation - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Tue, 14 Apr 2026 00:00:00 GMT

Zscaler is currently aware of a performance degradation affecting case creation, associated with a third-party service provider. At this time, core Zscaler services, including the data plane and control plane, continue to operate normally. We are actively collaborating with the impacted service provider, who has acknowledged the issue within their managed infrastructure and is working toward resolution. The service provider has identified the underlying cause and initiated remediation actions. Based on current guidance, full restoration is expected to take several hours.

Customer Impact: Affected customers may experience elevated response times when creating or updating records via the user interface or through integrations. In high-volume scenarios, this may also result in intermittent errors during transaction processing, including workflows such as case creation, live chat interactions, and automated flows.

Workaround: Customers requiring immediate assistance are advised to contact Zscaler Support via phone for expedited handling.

Zscaler is actively collaborating with the service provider and will continue to provide updates as more information becomes available.

Latest Update - Tue, 14 Apr 2026 22:00:57 UTC

The issue impacting case creation has been resolved. The service provider has implemented the fix and confirmed that services have been restored. Zscaler will continue to monitor the environment in collaboration with the service provider to ensure ongoing stability.

Update - Tue, 14 Apr 2026 22:00:57 UTC

Delay in Processing Inbound Emails to Support Cases - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Wed, 08 Apr 2026 00:00:00 GMT

Zscaler is aware of an issue impacting delay in processing inbound emails to support cases.

Zscaler services are operating normally; delays are currently impacting the synchronization of inbound email communications related to support cases. This is due to a dependency issue with our service provider that is affecting email processing, leading to slower updates. Zscaler is actively coordinating with the service provider to restore normal functionality.

Impact: During this time, customers may experience delays in email updates, including slower responses or delayed synchronization of messages within existing or new support cases.

Workaround: Customers needing urgent assistance should contact Zscaler Support by phone or update their case directly through the Customer Support Portal.

Zscaler will continue to provide updates as more information becomes available and service is restored.

Update - Wed, 08 Apr 2026 22:51:51 UTC

Zscaler has received confirmation that the issue has been addressed and a fix has been implemented by the service provider. Emails that were temporarily delayed have been automatically retried and are now being processed. The service provider is continuing to monitor stability, and Zscaler is actively monitoring the environment to ensure sustained recovery.

Axios Supply Chain Attack Update - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Fri, 03 Apr 2026 00:00:00 GMT

Zscaler has analyzed the supply chain compromises affecting the Axios npm packages. Analysis confirms no impact to Zscaler platforms, products, or internal systems.

As a best practice, customers should review their environments for the following impacted versions:

Axios npm package versions: 1.14.1 and 0.30.4

Actions if you have an impacted version:

Update/Revert: Revert or pin Axios to known safe versions (e.g., 1.14.0 or 0.30.3)
Rotate Credentials: Update all API keys, cloud tokens, and environment variables associated with this library.

Zscaler will continue to monitor the situation and update this post if new information emerges.

Action Required — Verify/Correct Your Z-Identity IdP “Primary Email” Attribute Mapping - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Tue, 31 Mar 2026 00:00:00 GMT

Zscaler is proactively reaching out to help prevent potential login failures to the Z-Identity Admin Console when authenticating through your Identity Provider (IdP). Based on monitoring, your tenant may be missing or mis-mapping the required Primary Email attribute used during JIT (Just-In-Time) provisioning.

This advisory relates to the recent incident and follow-up corrective actions (Reference: Trust Post: Z-Identity Portal Issue).

What is the issue?

On Mar 21st, some customers experienced login failures to the Z-Identity Admin Console when authenticating via their IdP. The error observed was:

“Invalid Input Error: Primary Email is required.”

Why this is needed

Zscaler deployed an update to improve validation of attributes during JIT provisioning. A subset of customers encountered login failures where the IdP was not sending the required email attribute or it was incorrectly mapped. To restore stability, Zscaler reverted the change.

Zscaler is now running a monitoring-only period and asking customers to validate/correct mappings before the improved validation is re-enabled in a controlled manner.

Who is impacted?

You may be impacted if all of the following apply:

IdP-based authentication is enabled (SSO via Google Workspace, Azure AD, Okta, etc.)
JIT provisioning is enabled
The Primary Email attribute mapping is missing or incorrect (wrong attribute name or not present in the IDP assertion)

Why JIT matters: JIT synchronizes user attributes from the IdP to Z-Identity at login; missing/incorrect Primary Email mapping is most likely to cause failures when validation is re-enabled.

Action Required — Verify your IdP “Primary Email” attribute mapping

Quick verification steps

Confirm IDP assertion includes an email address
- In your IdP admin console, open the Zscaler Z-Identity IDP app configuration.
- Use Test / Preview IDP Response.
- Verify an email attribute is present and contains the user’s email address.
Confirm attribute/claim mapping matches the assertion
- Review your IdP attribute/claim mappings.
- Ensure the mapped attribute name matches the actual attribute name in the assertion.
Recommended: Test with JIT provisioning
- Create a new test user in the IdP that does not exist in Z-Identity.
- Attempt login to the Z-Identity Admin Console via IdP.
- Expected results:
  - If the user is created successfully → mapping is correct.
  - If you see “Primary Email is required” → mapping needs correction.

If your test fails (remediation)

Update the IdP mapping to use the correct email attribute name
Ensure the email attribute is included in the IDP assertion
Re-test using a new JIT user
Notify your TSM/Zscaler Support once corrected

Timeline / next steps

Zscaler plans to re-enable the updated validation in approximately three weeks. Customers are requested to remediate before April 15th to ensure adequate time for correction and testing.

Support / escalation

If you need help validating the IDP assertion or correcting the mapping, contact Zscaler Support and include:

Your IdP vendor/type
Screenshot/description of your email attribute/claim mapping
(If available) the attribute name used for email in the IDP assertion (no sensitive data required)

Experience Center – SSO Error When Accessing Support Tab - zslogin.net

Fri, 27 Mar 2026 00:00:00 GMT

Zscaler is investigating an issue impacting Experience Center customers, where users may encounter an SSO error when navigating to the Support tab within the Experience Portal.

Impact: Customers attempting to access the Support tab through the Experience Center portal may be unable to successfully authenticate via SSO. All other platform functionalities remain unaffected.

Workaround:
Customers can continue to access the Support Portal using the following validated workaround:

Log in to an alternate Zscaler Product Admin Portal (e.g., ZIA, ZPA, or ZDX)
Navigate to the Support Portal from that product interface
From there:
- View existing cases across all products, including Experience Center, or
- Create a new case and manually select:
  - Product: Experience Center
  - Company ID: Corresponding Experience Center tenant

Zscaler has identified the underlying cause of the issue and a fix has been developed. Deployment of the fix is currently planned for March 28, 2026, during the Maintenance Window.

Update - Sat, 28 Mar 2026 09:59:05 UTC

Zscaler has deployed a fix, and the issue impacting access to the Support tab in the Experience Center portal has been resolved. Services have been restored, and customers should now be able to access Support functionality normally. Zscaler will continue to monitor the environment to ensure ongoing stability.

Trivy and LiteLLM Supply Chain Incident (CVE-2026-33634) Update - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Fri, 27 Mar 2026 00:00:00 GMT

Zscaler has analyzed the supply chain compromises affecting the Trivy security scanner and LiteLLM. Analysis confirms no impact to Zscaler platforms, products, or internal systems, including AI Guard.

As a best practice customers should review their environments for the following impacted versions:

Trivy: Container images v0.69.5–v0.69.6
LiteLLM: Versions 1.82.7 and 1.82.8.

Actions if you have an impacted version:

Update/Revert: Upgrade Trivy to v0.69.7 or later and downgrade LiteLLM to v1.82.6.
Rotate Credentials: Update all API keys, cloud tokens, and environment variables associated with these tools.

Zscaler will continue to monitor the situation and update this post if new information emerges.

CBI Original URL Experience Degradation - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net

Fri, 20 Mar 2026 00:00:00 GMT

Zscaler is actively implementing mitigation measures for an intermittent, low-impact issue affecting the Zscaler Internet Access (ZIA) Service Edge. As part of our troubleshooting and remediation process, we are making adjustments to a specific feature indicated by our data to be triggering the issue.

As a result, some Cloud Browser Isolation (CBI) customers who have enabled the newly released Original URL feature in their Isolation Profile may periodically still see the full CBI URL instead of the original URL. While we understand this is a degradation in experience for end users, there should be no impact to core CBI functionality.

Update - Wed, 29 Apr 2026 17:22:03 UTC

The fix is now globally available across all clouds, and customers can proceed with feature enablement through the standard operational process.

SaaS Application Activity Data Not Displaying in Activity Logs - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net

Mon, 16 Mar 2026 00:00:00 GMT

Activity Logs are currently not displaying SaaS application activity data. Zscaler is actively working to resolve this issue.

Who is impacted?
ZIA customers who have onboarded and configured Data-at-Rest scanning for SaaS applications may temporarily be unable to view SaaS-related activity data in Activity Logs.

When will this be resolved?
A fix is currently being deployed and is expected to be completed across all Zscaler clouds by March 22, 2026.

What are my next steps?
No action is required from customers at this time. Zscaler will continue to monitor the deployment to ensure full restoration of activity log visibility.

Latest Update - Mon, 23 Mar 2026 04:09:49 UTC

The fix has been deployed on the remaining clouds and the issue is now resolved.

Update - Tue, 17 Mar 2026 06:28:51 UTC

As per the latest update, the fix has been deployed across the ZS1, ZSC, and ZSN clouds, and deployment on ZS2 and ZS3 is scheduled to complete by March 22, 2026.

Update - Mon, 23 Mar 2026 04:09:49 UTC

The fix has been deployed on the remaining clouds and the issue is now resolved.

Deprecation of Individual Administrative UIs - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, zslogin.net

Mon, 16 Mar 2026 00:00:00 GMT

What is changing?

Zscaler is deprecating individual administrative User Interfaces (UIs). Customers must migrate to ZIdentity and Experience Center, Zscaler’s centralized administrative and insights platform, to take advantage of new features and innovations.

Who is impacted?

All customers not currently using ZIdentity for administrative purposes must complete the migration to have access to new features and innovations.

Key Information

Access Experience Center: To use the latest administrative capabilities, customers must complete migration to ZIdentity for Administrators and access Experience Center (https://console.zscaler.com).
Exclusive Features Beginning on April 1st 2026: Starting in April 2026, all new features and product enhancements are available exclusively on Experience Center.
Innovations Exclusive to Experience Center: Risk360, Health360, Zero Trust Branch, and all future innovations are available only on Experience Center.
Legacy UIs Maintenance Mode on April 1st 2026: Legacy administrative UIs will go into maintenance mode starting in April 2026. This means you can still apply configuration changes in the legacy administrative UIs but no new features will be added to them. All new developments will be exclusive to the Experience Center.
Legacy UIs Deprecation on September 30th 2026: Legacy administrative UIs will be deprecated
Executive dashboards with key insights that are showcased in the Executive Insights App (the new mobile CXO app) are only present in Experience Center.

To learn more, read our blog post: Embracing the Future of Zero Trust Administration with ZIdentity and Experience Center.

Next Steps

Engage your Zscaler Account team: Your Zscaler Account team or Technical Success Manager can assist with planning and completing your migration to ZIdentity and enabling Experience Center.
Complete your migration to ZIdentity: Visit the ZIdentity migration page to submit your request for migration. Review the ZIdentity migration documentation for detailed migration guidance. The time required to complete migration depends on your organization, but it can be as quick as setting up a new connection with your identity provider.
Start using the Experience Center at https://console.zscaler.com.

What if I have more questions?

If you have additional questions, contact Zscaler Support via the Support link in the Zscaler Internet Access or ZIdentity Admin Portal, or call us at +1 (408) 752-5885. Within the U.S., you can use +1 (844) 971-0010.

Update 3/25/26: Updated verbiage

Sitereview Portal Validation Update - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Mon, 16 Mar 2026 00:00:00 GMT

Site review is used by customers and their users to submit URL categorization and review requests to Zscaler. To provide a more secure environment for our ZIA customers, Zscaler is refining how the Site review portal authorizes URL recategorization and review requests. Previously, the portal accepted requests if either the Source IP or the X Forwarded For header belonged to a Zscaler IP address range. As part of a security enhancement, we are removing reliance on the X Forwarded For header. Access will now be restricted to requests originating from a recognized Zscaler Source IP address range or an explicitly whitelisted non Zscaler Source IP.

What Changed

Validation Logic Update: We are moving from a model that allows either a Zscaler Source IP OR a Zscaler XFF header to a model that requires a Zscaler Source IP.
Deprecation of XFF Headers: The portal will no longer consider the X-Forwarded-For header as a valid identifier for request origin.

Impacted Areas

Service: Sitereview Portal (https://sitereview.zscaler.com/)
Users: ZIA customers performing URL recategorization reviews.

What is Not Allowed

Submissions from non-Zscaler Source IPs that rely solely on the XFF header to identify as a Zscaler customer will no longer be accepted.

What is Allowed

Submissions originating from any valid Zscaler Source IP address.
Submissions from specific customer-owned (non-Zscaler) Source IPs that have been explicitly whitelisted by Zscaler.

Expected Behavior

To ensure minimal disruption, Zscaler has already proactively whitelisted known existing non-Zscaler Source IPs used by our customers. We expect most users to experience no change in service.

For users where submission was previously working but stopped working after a change, they should do the following:

Confirm they are accessing Sitereview from a Zscaler IP address (i.e., traffic is egressing through Zscaler).
If they must submit from a non-Zscaler egress IP, contact the Zscaler Support Team to request whitelisting (allowlisting) of their non-Zscaler Source IP.

Implementation Timeline

This update will be fully implemented after April 4, 2026.

Summary

Zscaler is updating the request validation logic for the Sitereview portal (sitereview.zscaler.com) to enhance security. Effective April 4, 2026, the portal will transition to strictly validating the Source IP address for all submissions.

Commercial Salesforce Security Notification - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Fri, 13 Mar 2026 00:00:00 GMT

On March 10, 2026, Zscaler was made aware of a campaign targeted at the Salesforce Experience Center impacting a large number of Salesforce customers, including Zscaler. Following guidance from Salesforce, Zscaler completed remediation of the incident on March 11, 2026.

Unauthorized access to personal data was limited to the Name and Email Address field from the Commercial Zscaler Community Portal. The scope of the incident was confined to the Zscaler Commercial Salesforce tenant and did not impact the Zscaler Federal Salesforce tenant.

Zscaler's products, services and/or underlying systems and infrastructure were not impacted and no sensitive PII was accessed or exposed.

Improved Input Validation for User-Editable Text Fields - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Fri, 06 Mar 2026 00:00:00 GMT

We’ve enhanced validation for certain user-editable fields to ensure user-provided values remain plain text and render consistently across the UI (including tables, tooltips, and logs).

What Changed

ZIA now enforces stricter validation on specific text fields to prevent the use of:

HTML / markup
HTML-encoded markup / HTML entities (including entity-based representations of special characters or whitespace)

If disallowed input is detected, the API will reject the request with HTTP 400 (Bad Request).

Impacted Areas (where this validation applies)

Impacted Areas	KB Document
Webhook names	https://help.zscaler.com/zia/adding-webhook
PAC file names & descriptions	https://help.zscaler.com/zia/about-hosted-pac-files
Static IP descriptions	https://help.zscaler.com/zia/self-provisioning-static-ip-addresses
URLs in URL categories	https://help.zscaler.com/zia/configuring-custom-url-categories
Extranet names	https://help.zscaler.com/zia/configuring-extranet
Location group names	https://help.zscaler.com/zia/configuring-dynamic-location-groups

What Is Not Allowed (Rejected with HTTP 400)

HTML / Markup in Input Fields Examples (NOT allowed):
- poc<a href="...">X</a>
- <script>alert(1)</script>
- <img src=x onerror=alert(1)>
- <svg onload=alert(1)>
HTML-Encoded Markup / HTML Entities Examples (NOT allowed):
- < , > (encoded < and >)
- &Tab; (encoded tab)
- poc<a href=javascript:confirm(document.domain)>X</a>

What Is Allowed

Plain text values that do not contain HTML markup or HTML entity encodings.

Example (allowed):

Webhook for audit notifications - test environment

Expected Behavior / User Impact

Requests containing disallowed content are rejected with HTTP 400 (Bad Request).
The object will not be created/updated with the invalid value.
This ensures user-provided values render predictably in UI locations such as tables, tooltips, and audit logs.

Implementation Timeline

Starting from 15 March, we will begin the update rollout process.
The rollout will be performed cloud-by-cloud (each production cloud will be updated one by one).
By 31 March, the update is expected to be deployed across all production clouds.

Summary

As part of a product hardening enhancement, the API now rejects inputs containing HTML markup or HTML entity-encoded markup in select user-editable fields (e.g., webhook names, PAC file metadata, URL category URLs, and naming/description fields). Requests with such values will return HTTP 400.

For any further information, please feel free to reach out to the Zscaler Support team.

VPN Legacy Application Issue - private.zscaler.com

Mon, 02 Mar 2026 00:00:00 GMT

Zscaler continues to monitor the previously reported service disruption impacting private.zscaler.com, affecting access to VPN Legacy Applications for a subset of users.

Initial telemetry and early recovery indicators suggested that service behavior had stabilized; however, subsequent monitoring has confirmed that intermittent impact remains for a subset of users. According to the cloud provider’s status page, two Availability Zones (mec1-az2 and mec1-az3) in the AWS ME-CENTRAL-1 Region are currently experiencing impairment, and AWS is actively working toward full restoration.

Customers may refer to the cloud provider’s status page for additional updates related to the underlying infrastructure Status Page.

Zscaler continues close monitoring of the situation and will provide further updates as additional information becomes available or once full service stability is confirmed. Customers requiring assistance or continuing to experience impact are encouraged to contact Zscaler Support for further investigation and guidance.

VPN Legacy Application Issue - private.zscaler.com

Sun, 01 Mar 2026 00:00:00 GMT

Zscaler is currently investigating an issue affecting Legacy VPN application services for customers in the UAE region. Initial findings indicate that this disruption is related to an AWS service issue within Availability Zone mec1-az2 in the ME-CENTRAL-1 region.

Our operations team is monitoring the situation closely and working toward mitigation. We will provide further updates as more information becomes available.

We will continue to provide updates here as the investigation progresses. For detailed updates, please check the Service Status section in your Zscaler customer support portal (CSP). Status changes and additional details will be posted there as they become available.

Latest Update - Mon, 02 Mar 2026 02:47:13 UTC

The AWS service disruption has recovered, and Zscaler is considering this issue resolved.

Update - Sun, 01 Mar 2026 17:23:03 UTC

An issue within AWS was identified, and Zscaler teams are actively working to address and mitigate the problem.

Update - Mon, 02 Mar 2026 02:47:13 UTC

The AWS service disruption has recovered, and Zscaler is considering this issue resolved.

Middle East Situation and Elevated Monitoring Posture - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net

Sat, 28 Feb 2026 00:00:00 GMT

Zscaler is aware of ongoing geopolitical developments in the Middle East that may impact regional internet connectivity and routing. As part of our standard operational practices, Zscaler is closely monitoring global network conditions and internet infrastructure stability to help maintain continued service reliability for our customers.

As of February 28, 2026, Zscaler services are operating normally, and we have not observed any impact to platform availability, performance, or security services.

Zscaler continuously monitors external factors that may influence internet routing, regional connectivity, and cybersecurity risk levels. In light of current conditions, we have increased operational monitoring and readiness measures across our global cloud infrastructure as a precautionary step to support service resilience.

Current Service Status

All Zscaler services are operating normally.
As of February 28, 2026, no disruption has been observed Traffic processing, policy enforcement, and security inspection capabilities are functioning as expected.

Operational Readiness

Zscaler operates a globally distributed cloud platform designed for high availability and continuity. Our operational teams are:

Monitoring global internet health, routing stability, and infrastructure conditions
Monitoring cybersecurity threat activity and indicators relevant to customer environments
Prepared to take proactive mitigation actions, if required, to maintain service stability and protection

Customer Guidance

No customer action is required at this time.
Customers may continue normal operations. Zscaler will update this advisory on this page and through official communication channels should any service impact occur or additional guidance become necessary.

Zscaler Client Connector for VDI – Version 1.7 Upgrade Issue - zscaler.net, zscalertwo.net, zscloud.net, zscalerthree.net

Wed, 25 Feb 2026 00:00:00 GMT

Zscaler is investigating an issue affecting customers who upgraded the Zscaler Client Connector for Virtual Desktop Infrastructure (VDI) to versions 1.7.0.4, 1.7.0.6, or 1.7.0.7.

Following the upgrade, some VDI instances may remain in an “off” state due to authentication failures. As a result, impacted VDIs may be unable to establish a connection to the Zscaler service.

Zscaler has identified the issue and validated that reverting to version 1.6 restores expected functionality. A permanent fix is currently under validation.

Who is impacted?

You may be impacted if:

You are using Zscaler Client Connector (ZCC) for VDI
You upgraded to version 1.7.0.4, 1.7.0.6, or 1.7.0.7
Your VDI instances are showing an “off” state and failing authentication

Customers who remain on version 1.6 or lower are not impacted.

What are my next steps?

If you have upgraded to version 1.7.0.4, 1.7.0.6, or 1.7.0.7:

Downgrade Zscaler Client Connector for VDI to version 1.6
Validate that the Client Connector Service Status is “ON”

This downgrade has been validated as a stable interim mitigation. We recommend pausing any additional rollouts of version 1.7 until further notice.

What if I have more questions?

If you require assistance with the rollback process or need further clarification, please contact Support.

Update - Wed, 11 Mar 2026 23:03:48 UTC

Zscaler has released Zscaler Client Connector for VDI version 1.7.0.10, which includes the fix for the reported issue. By end of day, the 1.7.0.10 image will be made available in the Client Connector App Store within the Client Connector UI, allowing customers to download and deploy the updated image directly. Customers experiencing this issue are advised to upgrade to this version once it becomes available.