Serious Security Flaw Discovered in Three Widely Used VPNs – Update Now!

Virtual Private Networks (“VPNs”) are a secure way for employees to access firm files remotely, whether working from a home office or while travelling. They work by creating an encrypted connection from a laptop or PC to a firm’s server and allowing users to securely access and transfer files while out of the office.

Access to a VPN is typically gained by entering credentials and verifying your identity with an additional step, usually a multi-digit code or authorization through a pre-configured app.

According to two security researchers, a serious flaw was “accidently” discovered recently, which could allow hackers access to firm networks without requiring any credentials at all. “We could compromise the VPN server and corporate intranet with no authentication required, compromise all the VPN clients, and steal all secrets from the victims.” Devcore researcher Orange Tsai told TechCrunch.

In effect, they could have unfettered access to all your firm’s information – that includes data that is personal, proprietary and confidential!

According to technology news site TheInquirer.net, three major VPN providers are affected:

  • FortiGate’s FortiOS
    Versions 5.6.3 to 5.6.7, 6.0.0 to 6.0.4
    Note: This vulnerability is only present if SSL VPN (web- or tunnel-mode) is enabled.
    FortiGate has released updates and provides more information about this vulnerability here.NIST has also released a Common Vulnerabilities and Exposures (“CVE”) specific to the FortiOS vulnerability. Info about CVE-2018-13379 can be found here.
  • Palo Alto Networks’ Global Protect Portal and GlobalProtect Gateway interfaces
    GlobalProtect Portal/Gateway Interface (PAN-SA-2019-0020), PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier releases. PAN-OS 9.0 is not affected.
    Palo Alto Networks has released updates and provides more information about this vulnerability here.NIST has also released a CVE specific to the Palo Alto vulnerability. Info about CVE-2019-1579 can be found here.
  • Pulse Secure
    Pulse Connect Secure and Pulse Policy Secure products were affected. The company released patches in April 2019 to remedy this vulnerability. If you use either of these products ensure all updates have been installed, especially the patches released by the company in April. Pulse Secure security advisories can be found here.

If your firm allows employees to work remotely and uses VPN software to accomplish this, be sure to ask your IT vendor whether the products mentioned above are in use at your firm; if so, ensure they install the necessary updates immediately!


For more cybersecurity help, here are some helpful resources:

Ask us how we can help tailor a package to meet your needs. Fill out our form here and receive our free checklist for evaluating policies for cyber insurance coverage.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

Countdown to CCPA: Are You Ready to Comply with New Data Privacy Requirements?

With less than one month before the California Consumer Privacy Act (CCPA) is effective, companies are preparing to update their cybersecurity programs. Many must address the regulation’s new data privacy requirements, which have caught some financial institutions off guard. Modeled to some extent after the European Union’s General Data Protection Regulation (GDPR), the CCPA provides … Continued

ESMA Updates AIFMD Q&A on Reporting to National Competent Authorities

The European Securities and Markets Authority (ESMA) has updated its Questions and Answers on the Alternative Investment Fund Managers Directive (AIFMD). One new Q&A has been added with regard to reporting to National Competent Authorities. ESMA has provided clarification on reporting on liquidity stress tests for closed-ended unleveraged Alternative Investment Funds (AIFs). These AIFs are exempt from the … Continued

CSS Named to RegTech 100 List of World’s Most Innovative RegTech Companies

NEW YORK – Compliance Solutions Strategies (CSS) is proud to announce its inclusion in the RegTech 100 for 2020, a list recognizing the world’s most innovative RegTech companies compiled by RegTech Analyst, a specialist research firm. “We are honored to be selected as one of the most innovative companies within such a competitive and evolving … Continued