Every CVE whose affected-product data names Cloudflare Warp, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (16)
CVE-2022-4428 — CVSS 8.9 (high): support_uri parameter in the WARP client local settings file (mdm.xml) lacked proper validation which allowed for privilege escalation and…
CVE-2022-2225 — CVSS 8.1 (high): By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured…
CVE-2023-2754 — CVSS 7.4 (high): The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that…
CVE-2023-1862 — CVSS 7.3 (high): Cloudflare WARP client for Windows (up to v2023.3.381.0) allowed a malicious actor to remotely access the warp-svc.exe binary due to an…
CVE-2025-0651 — CVSS 7.1 (high): Improper Privilege Management vulnerability in Cloudflare WARP on Windows allows File Manipulation. User with a low system privileges can…
CVE-2023-0652 — CVSS 7.0 (high): Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for…
CVE-2023-1412 — CVSS 7.0 (high): An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for Windows (<=…
CVE-2022-3320 — CVSS 6.7 (medium): It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint' subcommand. Using…
CVE-2022-3512 — CVSS 6.7 (medium): Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in…
CVE-2022-2147 — CVSS 6.5 (medium): Cloudflare Warp for Windows from version 2022.2.95.0 contained an unquoted service path which enables arbitrary code execution leading to…
CVE-2022-2145 — CVSS 5.8 (medium): Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During…
CVE-2022-4457 — CVSS 5.5 (medium): Due to a misconfiguration in the manifest file of the WARP client for Android, it was possible to a perform a task hijacking attack. An…
CVE-2023-3747 — CVSS 5.5 (medium): Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created…
CVE-2020-35152 — CVSS 4.5 (medium): Cloudflare WARP for Windows allows privilege escalation due to an unquoted service path. A malicious user or process running with…
CVE-2023-0654 — CVSS 3.9 (low): Due to a misconfiguration, the WARP Mobile Client (< 6.29) for Android was susceptible to a tapjacking attack. In the event that an…
CVE-2023-0238 — CVSS 3.9 (low): Due to lack of a security policy, the WARP Mobile Client (<=6.29) for Android was susceptible to this vulnerability which allowed a…