Trust

Axios Supply Chain Attack Update - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Fri, 03 Apr 2026 17:10:27 GMT

Zscaler has analyzed the supply chain compromises affecting the Axios npm packages. Analysis confirms no impact to Zscaler platforms, products, or internal systems.

As a best practice, customers should review their environments for the following impacted versions:

Axios npm package versions: 1.14.1 and 0.30.4

Actions if you have an impacted version:

Update/Revert: Revert or pin Axios to known safe versions (e.g., 1.14.0 or 0.30.3)
Rotate Credentials: Update all API keys, cloud tokens, and environment variables associated with this library.

Zscaler will continue to monitor the situation and update this post if new information emerges.

Action Required — Verify/Correct Your Z-Identity IdP “Primary Email” Attribute Mapping - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Tue, 31 Mar 2026 06:45:12 GMT

Zscaler is proactively reaching out to help prevent potential login failures to the Z-Identity Admin Console when authenticating through your Identity Provider (IdP). Based on monitoring, your tenant may be missing or mis-mapping the required Primary Email attribute used during JIT (Just-In-Time) provisioning.

This advisory relates to the recent incident and follow-up corrective actions (Reference: Trust Post: Z-Identity Portal Issue).

What is the issue?

On Mar 21st, some customers experienced login failures to the Z-Identity Admin Console when authenticating via their IdP. The error observed was:

“Invalid Input Error: Primary Email is required.”

Why this is needed

Zscaler deployed an update to improve validation of attributes during JIT provisioning. A subset of customers encountered login failures where the IdP was not sending the required email attribute or it was incorrectly mapped. To restore stability, Zscaler reverted the change.

Zscaler is now running a monitoring-only period and asking customers to validate/correct mappings before the improved validation is re-enabled in a controlled manner.

Who is impacted?

You may be impacted if all of the following apply:

IdP-based authentication is enabled (SSO via Google Workspace, Azure AD, Okta, etc.)
JIT provisioning is enabled
The Primary Email attribute mapping is missing or incorrect (wrong attribute name or not present in the IDP assertion)

Why JIT matters: JIT synchronizes user attributes from the IdP to Z-Identity at login; missing/incorrect Primary Email mapping is most likely to cause failures when validation is re-enabled.

Action Required — Verify your IdP “Primary Email” attribute mapping

Quick verification steps

Confirm IDP assertion includes an email address
- In your IdP admin console, open the Zscaler Z-Identity IDP app configuration.
- Use Test / Preview IDP Response.
- Verify an email attribute is present and contains the user’s email address.
Confirm attribute/claim mapping matches the assertion
- Review your IdP attribute/claim mappings.
- Ensure the mapped attribute name matches the actual attribute name in the assertion.
Recommended: Test with JIT provisioning
- Create a new test user in the IdP that does not exist in Z-Identity.
- Attempt login to the Z-Identity Admin Console via IdP.
- Expected results:
  - If the user is created successfully → mapping is correct.
  - If you see “Primary Email is required” → mapping needs correction.

If your test fails (remediation)

Update the IdP mapping to use the correct email attribute name
Ensure the email attribute is included in the IDP assertion
Re-test using a new JIT user
Notify your TSM/Zscaler Support once corrected

Timeline / next steps

Zscaler plans to re-enable the updated validation in approximately three weeks. Customers are requested to remediate before April 15th to ensure adequate time for correction and testing.

Support / escalation

If you need help validating the IDP assertion or correcting the mapping, contact Zscaler Support and include:

Your IdP vendor/type
Screenshot/description of your email attribute/claim mapping
(If available) the attribute name used for email in the IDP assertion (no sensitive data required)

Experience Center – SSO Error When Accessing Support Tab - zslogin.net

Fri, 27 Mar 2026 00:53:10 GMT

Zscaler is investigating an issue impacting Experience Center customers, where users may encounter an SSO error when navigating to the Support tab within the Experience Portal.

Impact: Customers attempting to access the Support tab through the Experience Center portal may be unable to successfully authenticate via SSO. All other platform functionalities remain unaffected.

Workaround:
Customers can continue to access the Support Portal using the following validated workaround:

Log in to an alternate Zscaler Product Admin Portal (e.g., ZIA, ZPA, or ZDX)
Navigate to the Support Portal from that product interface
From there:
- View existing cases across all products, including Experience Center, or
- Create a new case and manually select:
  - Product: Experience Center
  - Company ID: Corresponding Experience Center tenant

Zscaler has identified the underlying cause of the issue and a fix has been developed. Deployment of the fix is currently planned for March 28, 2026, during the Maintenance Window.

Update - Sat, 28 Mar 2026 09:59:05 UTC

Zscaler has deployed a fix, and the issue impacting access to the Support tab in the Experience Center portal has been resolved. Services have been restored, and customers should now be able to access Support functionality normally. Zscaler will continue to monitor the environment to ensure ongoing stability.

Trivy and LiteLLM Supply Chain Incident (CVE-2026-33634) Update - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Thu, 26 Mar 2026 21:18:45 GMT

Zscaler has analyzed the supply chain compromises affecting the Trivy security scanner and LiteLLM. Analysis confirms no impact to Zscaler platforms, products, or internal systems, including AI Guard.

As a best practice customers should review their environments for the following impacted versions:

Trivy: Container images v0.69.5–v0.69.6
LiteLLM: Versions 1.82.7 and 1.82.8.

Actions if you have an impacted version:

Update/Revert: Upgrade Trivy to v0.69.7 or later and downgrade LiteLLM to v1.82.6.
Rotate Credentials: Update all API keys, cloud tokens, and environment variables associated with these tools.

Zscaler will continue to monitor the situation and update this post if new information emerges.

CBI Original URL Experience Degradation - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net

Fri, 20 Mar 2026 21:17:56 GMT

Zscaler is actively implementing mitigation measures for an intermittent, low-impact issue affecting the Zscaler Internet Access (ZIA) Service Edge. As part of our troubleshooting and remediation process, we are making adjustments to a specific feature indicated by our data to be triggering the issue.

As a result, some Cloud Browser Isolation (CBI) customers who have enabled the newly released Original URL feature in their Isolation Profile may periodically still see the full CBI URL instead of the original URL. While we understand this is a degradation in experience for end users, there should be no impact to core CBI functionality.

SaaS Application Activity Data Not Displaying in Activity Logs - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net

Mon, 16 Mar 2026 21:54:12 GMT

Activity Logs are currently not displaying SaaS application activity data. Zscaler is actively working to resolve this issue.

Who is impacted?
ZIA customers who have onboarded and configured Data-at-Rest scanning for SaaS applications may temporarily be unable to view SaaS-related activity data in Activity Logs.

When will this be resolved?
A fix is currently being deployed and is expected to be completed across all Zscaler clouds by March 22, 2026.

What are my next steps?
No action is required from customers at this time. Zscaler will continue to monitor the deployment to ensure full restoration of activity log visibility.

Latest Update - Mon, 23 Mar 2026 04:09:49 UTC

The fix has been deployed on the remaining clouds and the issue is now resolved.

Update - Tue, 17 Mar 2026 06:28:51 UTC

As per the latest update, the fix has been deployed across the ZS1, ZSC, and ZSN clouds, and deployment on ZS2 and ZS3 is scheduled to complete by March 22, 2026.

Update - Mon, 23 Mar 2026 04:09:49 UTC

The fix has been deployed on the remaining clouds and the issue is now resolved.

Deprecation of Individual Administrative UIs - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, zslogin.net

Mon, 16 Mar 2026 18:33:56 GMT

What is changing?

Zscaler is deprecating individual administrative User Interfaces (UIs). Customers must migrate to ZIdentity and Experience Center, Zscaler’s centralized administrative and insights platform, to take advantage of new features and innovations.

Who is impacted?

All customers not currently using ZIdentity for administrative purposes must complete the migration to have access to new features and innovations.

Key Information

Access Experience Center: To use the latest administrative capabilities, customers must complete migration to ZIdentity for Administrators and access Experience Center (https://console.zscaler.com).
Exclusive Features Beginning on April 1st 2026: Starting in April 2026, all new features and product enhancements are available exclusively on Experience Center.
Innovations Exclusive to Experience Center: Risk360, Health360, Zero Trust Branch, and all future innovations are available only on Experience Center.
Legacy UIs Maintenance Mode on April 1st 2026: Legacy administrative UIs will go into maintenance mode starting in April 2026. This means you can still apply configuration changes in the legacy administrative UIs but no new features will be added to them. All new developments will be exclusive to the Experience Center.
Legacy UIs Deprecation on September 30th 2026: Legacy administrative UIs will be deprecated
Executive dashboards with key insights that are showcased in the Executive Insights App (the new mobile CXO app) are only present in Experience Center.

To learn more, read our blog post: Embracing the Future of Zero Trust Administration with ZIdentity and Experience Center.

Next Steps

Engage your Zscaler Account team: Your Zscaler Account team or Technical Success Manager can assist with planning and completing your migration to ZIdentity and enabling Experience Center.
Complete your migration to ZIdentity: Visit the ZIdentity migration page to submit your request for migration. Review the ZIdentity migration documentation for detailed migration guidance. The time required to complete migration depends on your organization, but it can be as quick as setting up a new connection with your identity provider.
Start using the Experience Center at https://console.zscaler.com.

What if I have more questions?

If you have additional questions, contact Zscaler Support via the Support link in the Zscaler Internet Access or ZIdentity Admin Portal, or call us at +1 (408) 752-5885. Within the U.S., you can use +1 (844) 971-0010.

Update 3/25/26: Updated verbiage

Sitereview Portal Validation Update - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Mon, 16 Mar 2026 14:10:54 GMT

Site review is used by customers and their users to submit URL categorization and review requests to Zscaler. To provide a more secure environment for our ZIA customers, Zscaler is refining how the Site review portal authorizes URL recategorization and review requests. Previously, the portal accepted requests if either the Source IP or the X Forwarded For header belonged to a Zscaler IP address range. As part of a security enhancement, we are removing reliance on the X Forwarded For header. Access will now be restricted to requests originating from a recognized Zscaler Source IP address range or an explicitly whitelisted non Zscaler Source IP.

What Changed

Validation Logic Update: We are moving from a model that allows either a Zscaler Source IP OR a Zscaler XFF header to a model that requires a Zscaler Source IP.
Deprecation of XFF Headers: The portal will no longer consider the X-Forwarded-For header as a valid identifier for request origin.

Impacted Areas

Service: Sitereview Portal (https://sitereview.zscaler.com/)
Users: ZIA customers performing URL recategorization reviews.

What is Not Allowed

Submissions from non-Zscaler Source IPs that rely solely on the XFF header to identify as a Zscaler customer will no longer be accepted.

What is Allowed

Submissions originating from any valid Zscaler Source IP address.
Submissions from specific customer-owned (non-Zscaler) Source IPs that have been explicitly whitelisted by Zscaler.

Expected Behavior

To ensure minimal disruption, Zscaler has already proactively whitelisted known existing non-Zscaler Source IPs used by our customers. We expect most users to experience no change in service.

For users where submission was previously working but stopped working after a change, they should do the following:

Confirm they are accessing Sitereview from a Zscaler IP address (i.e., traffic is egressing through Zscaler).
If they must submit from a non-Zscaler egress IP, contact the Zscaler Support Team to request whitelisting (allowlisting) of their non-Zscaler Source IP.

Implementation Timeline

This update will be fully implemented after April 4, 2026.

Summary

Zscaler is updating the request validation logic for the Sitereview portal (sitereview.zscaler.com) to enhance security. Effective April 4, 2026, the portal will transition to strictly validating the Source IP address for all submissions.

Commercial Salesforce Security Notification - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Fri, 13 Mar 2026 16:29:01 GMT

On March 10, 2026, Zscaler was made aware of a campaign targeted at the Salesforce Experience Center impacting a large number of Salesforce customers, including Zscaler. Following guidance from Salesforce, Zscaler completed remediation of the incident on March 11, 2026.

Unauthorized access to personal data was limited to the Name and Email Address field from the Commercial Zscaler Community Portal. The scope of the incident was confined to the Zscaler Commercial Salesforce tenant and did not impact the Zscaler Federal Salesforce tenant.

Zscaler's products, services and/or underlying systems and infrastructure were not impacted and no sensitive PII was accessed or exposed.

Improved Input Validation for User-Editable Text Fields - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net, app.zsdpc.net, app.eu.zsdpc.net, zpabeta.net, zsdkone.net, zscalerrisk.net, admin.zscaleranalytics.net, zslogin.net

Fri, 06 Mar 2026 14:06:00 GMT

We’ve enhanced validation for certain user-editable fields to ensure user-provided values remain plain text and render consistently across the UI (including tables, tooltips, and logs).

What Changed

ZIA now enforces stricter validation on specific text fields to prevent the use of:

HTML / markup
HTML-encoded markup / HTML entities (including entity-based representations of special characters or whitespace)

If disallowed input is detected, the API will reject the request with HTTP 400 (Bad Request).

Impacted Areas (where this validation applies)

Impacted Areas	KB Document
Webhook names	https://help.zscaler.com/zia/adding-webhook
PAC file names & descriptions	https://help.zscaler.com/zia/about-hosted-pac-files
Static IP descriptions	https://help.zscaler.com/zia/self-provisioning-static-ip-addresses
URLs in URL categories	https://help.zscaler.com/zia/configuring-custom-url-categories
Extranet names	https://help.zscaler.com/zia/configuring-extranet
Location group names	https://help.zscaler.com/zia/configuring-dynamic-location-groups

What Is Not Allowed (Rejected with HTTP 400)

HTML / Markup in Input Fields Examples (NOT allowed):
- poc<a href="...">X</a>
- <script>alert(1)</script>
- <img src=x onerror=alert(1)>
- <svg onload=alert(1)>
HTML-Encoded Markup / HTML Entities Examples (NOT allowed):
- < , > (encoded < and >)
- &Tab; (encoded tab)
- poc<a href=javascript:confirm(document.domain)>X</a>

What Is Allowed

Plain text values that do not contain HTML markup or HTML entity encodings.

Example (allowed):

Webhook for audit notifications - test environment

Expected Behavior / User Impact

Requests containing disallowed content are rejected with HTTP 400 (Bad Request).
The object will not be created/updated with the invalid value.
This ensures user-provided values render predictably in UI locations such as tables, tooltips, and audit logs.

Implementation Timeline

Starting from 15 March, we will begin the update rollout process.
The rollout will be performed cloud-by-cloud (each production cloud will be updated one by one).
By 31 March, the update is expected to be deployed across all production clouds.

Summary

As part of a product hardening enhancement, the API now rejects inputs containing HTML markup or HTML entity-encoded markup in select user-editable fields (e.g., webhook names, PAC file metadata, URL category URLs, and naming/description fields). Requests with such values will return HTTP 400.

For any further information, please feel free to reach out to the Zscaler Support team.

VPN Legacy Application Issue - private.zscaler.com

Mon, 02 Mar 2026 20:05:29 GMT

Zscaler continues to monitor the previously reported service disruption impacting private.zscaler.com, affecting access to VPN Legacy Applications for a subset of users.

Initial telemetry and early recovery indicators suggested that service behavior had stabilized; however, subsequent monitoring has confirmed that intermittent impact remains for a subset of users. According to the cloud provider’s status page, two Availability Zones (mec1-az2 and mec1-az3) in the AWS ME-CENTRAL-1 Region are currently experiencing impairment, and AWS is actively working toward full restoration.

Customers may refer to the cloud provider’s status page for additional updates related to the underlying infrastructure Status Page.

Zscaler continues close monitoring of the situation and will provide further updates as additional information becomes available or once full service stability is confirmed. Customers requiring assistance or continuing to experience impact are encouraged to contact Zscaler Support for further investigation and guidance.

VPN Legacy Application Issue - private.zscaler.com

Sun, 01 Mar 2026 17:11:25 GMT

Zscaler is currently investigating an issue affecting Legacy VPN application services for customers in the UAE region. Initial findings indicate that this disruption is related to an AWS service issue within Availability Zone mec1-az2 in the ME-CENTRAL-1 region.

Our operations team is monitoring the situation closely and working toward mitigation. We will provide further updates as more information becomes available.

We will continue to provide updates here as the investigation progresses. For detailed updates, please check the Service Status section in your Zscaler customer support portal (CSP). Status changes and additional details will be posted there as they become available.

Latest Update - Mon, 02 Mar 2026 02:47:13 UTC

The AWS service disruption has recovered, and Zscaler is considering this issue resolved.

Update - Sun, 01 Mar 2026 17:23:03 UTC

An issue within AWS was identified, and Zscaler teams are actively working to address and mitigate the problem.

Update - Mon, 02 Mar 2026 02:47:13 UTC

The AWS service disruption has recovered, and Zscaler is considering this issue resolved.

Middle East Situation and Elevated Monitoring Posture - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net, private.zscaler.com, zdxcloud.net, zpatwo.net

Sat, 28 Feb 2026 22:11:13 GMT

Zscaler is aware of ongoing geopolitical developments in the Middle East that may impact regional internet connectivity and routing. As part of our standard operational practices, Zscaler is closely monitoring global network conditions and internet infrastructure stability to help maintain continued service reliability for our customers.

As of February 28, 2026, Zscaler services are operating normally, and we have not observed any impact to platform availability, performance, or security services.

Zscaler continuously monitors external factors that may influence internet routing, regional connectivity, and cybersecurity risk levels. In light of current conditions, we have increased operational monitoring and readiness measures across our global cloud infrastructure as a precautionary step to support service resilience.

Current Service Status

All Zscaler services are operating normally.
As of February 28, 2026, no disruption has been observed Traffic processing, policy enforcement, and security inspection capabilities are functioning as expected.

Operational Readiness

Zscaler operates a globally distributed cloud platform designed for high availability and continuity. Our operational teams are:

Monitoring global internet health, routing stability, and infrastructure conditions
Monitoring cybersecurity threat activity and indicators relevant to customer environments
Prepared to take proactive mitigation actions, if required, to maintain service stability and protection

Customer Guidance

No customer action is required at this time.
Customers may continue normal operations. Zscaler will update this advisory on this page and through official communication channels should any service impact occur or additional guidance become necessary.

Zscaler Client Connector for VDI – Version 1.7 Upgrade Issue - zscaler.net, zscalertwo.net, zscloud.net, zscalerthree.net

Wed, 25 Feb 2026 20:06:14 GMT

Zscaler is investigating an issue affecting customers who upgraded the Zscaler Client Connector for Virtual Desktop Infrastructure (VDI) to versions 1.7.0.4, 1.7.0.6, or 1.7.0.7.

Following the upgrade, some VDI instances may remain in an “off” state due to authentication failures. As a result, impacted VDIs may be unable to establish a connection to the Zscaler service.

Zscaler has identified the issue and validated that reverting to version 1.6 restores expected functionality. A permanent fix is currently under validation.

Who is impacted?

You may be impacted if:

You are using Zscaler Client Connector (ZCC) for VDI
You upgraded to version 1.7.0.4, 1.7.0.6, or 1.7.0.7
Your VDI instances are showing an “off” state and failing authentication

Customers who remain on version 1.6 or lower are not impacted.

What are my next steps?

If you have upgraded to version 1.7.0.4, 1.7.0.6, or 1.7.0.7:

Downgrade Zscaler Client Connector for VDI to version 1.6
Validate that the Client Connector Service Status is “ON”

This downgrade has been validated as a stable interim mitigation. We recommend pausing any additional rollouts of version 1.7 until further notice.

What if I have more questions?

If you require assistance with the rollback process or need further clarification, please contact Support.

Update - Wed, 11 Mar 2026 23:03:48 UTC

Zscaler has released Zscaler Client Connector for VDI version 1.7.0.10, which includes the fix for the reported issue. By end of day, the 1.7.0.10 image will be made available in the Client Connector App Store within the Client Connector UI, allowing customers to download and deploy the updated image directly. Customers experiencing this issue are advised to upgrade to this version once it becomes available.

DNS Update for Outbound Email DLP - zscaler.net, zscalertwo.net, zscalerthree.net

Wed, 11 Feb 2026 07:30:13 GMT

Zscaler will be moving outbound Email DLP traffic for the securemail.<cloudname> domain to previously advertised networks. For details, refer to config.zscaler.com/zscaler.net/email-dlp.

What is changing?

DNS resolution for securemail.<cloudname> will be updated to point to VIPs that are part of the subnets mentioned in the above article.

Who is impacted?
This change impacts customers sending outbound Google Workspace (G Suite) email through Zscaler SMTP egress IP ranges who previously updated their configuration to use in.securemail.<cloudname> on Feb 9. These customers may experience email rejection or non-delivery unless the egress IP ranges for securemail.<cloudname> are whitelisted in addition to those already whitelisted for in.securemail.<cloudname>.

This does not impact customers that have the subnets mentioned in securemail.<cloudname> whitelisted.

Action Required.

Customers using Google Workspace (G Suite) should whitelist the securemail.<cloudname> egress IP ranges before the change to ensure continued outbound email delivery when using securemail.<cloudname>. No action is required if using in.securemail.<cloudname>. For details, refer to config.zscaler.com/zscaler.net/email-dlp.

Customers are advised to refer to the Service Status section in their Zscaler customer support portal (CSP) for more details.

When is the update scheduled?

The update will be performed during the upcoming maintenance window on a per-cloud basis:

ZSN and ZS2 Clouds (all regions): Saturday, 1:00 AM – 6:00 AM UTC
ZS3 Cloud (all regions): Sunday, 1:00 AM – 6:00 AM UTC

Update - Mon, 16 Feb 2026 06:53:14 UTC

This maintenance activity is now completed.

ZCC Android Defect Update - zscaler.net, zscalerone.net, zscalertwo.net, zscloud.net, zscalerthree.net

Mon, 02 Feb 2026 18:54:41 GMT

Zscaler is aware of a problem with the current 4.1.0.53 Zscaler Client Connector (ZCC) for Android and Android on ChromeOS. On February 2, 2026, Zscaler published the Zscaler Client Connector (ZCC) version 4.1.0.63 release for Android and ChromeOS. Immediately upgrade your Zscaler Client Connector to the latest version for Android in the Google Play Store.