Serious Security Flaw Discovered in Three Widely Used VPNs – Update Now!

Virtual Private Networks (“VPNs”) are a secure way for employees to access firm files remotely, whether working from a home office or while travelling. They work by creating an encrypted connection from a laptop or PC to a firm’s server and allowing users to securely access and transfer files while out of the office.

Access to a VPN is typically gained by entering credentials and verifying your identity with an additional step, usually a multi-digit code or authorization through a pre-configured app.

According to two security researchers, a serious flaw was “accidently” discovered recently, which could allow hackers access to firm networks without requiring any credentials at all. “We could compromise the VPN server and corporate intranet with no authentication required, compromise all the VPN clients, and steal all secrets from the victims.” Devcore researcher Orange Tsai told TechCrunch.

In effect, they could have unfettered access to all your firm’s information – that includes data that is personal, proprietary and confidential!

According to technology news site TheInquirer.net, three major VPN providers are affected:

  • FortiGate’s FortiOS
    Versions 5.6.3 to 5.6.7, 6.0.0 to 6.0.4
    Note: This vulnerability is only present if SSL VPN (web- or tunnel-mode) is enabled.
    FortiGate has released updates and provides more information about this vulnerability here.NIST has also released a Common Vulnerabilities and Exposures (“CVE”) specific to the FortiOS vulnerability. Info about CVE-2018-13379 can be found here.
  • Palo Alto Networks’ Global Protect Portal and GlobalProtect Gateway interfaces
    GlobalProtect Portal/Gateway Interface (PAN-SA-2019-0020), PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier releases. PAN-OS 9.0 is not affected.
    Palo Alto Networks has released updates and provides more information about this vulnerability here.NIST has also released a CVE specific to the Palo Alto vulnerability. Info about CVE-2019-1579 can be found here.
  • Pulse Secure
    Pulse Connect Secure and Pulse Policy Secure products were affected. The company released patches in April 2019 to remedy this vulnerability. If you use either of these products ensure all updates have been installed, especially the patches released by the company in April. Pulse Secure security advisories can be found here.

If your firm allows employees to work remotely and uses VPN software to accomplish this, be sure to ask your IT vendor whether the products mentioned above are in use at your firm; if so, ensure they install the necessary updates immediately!


For more cybersecurity help, here are some helpful resources:

Ask us how we can help tailor a package to meet your needs. Fill out our form here and receive our free checklist for evaluating policies for cyber insurance coverage.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Are Investment Managers Going to Have More KIDs?

Let us be clear…. we’re actually talking about the potential increase in production of point-of-investment disclosure documents for investment managers. The complications and stress of Brexit just got a whole lot more real for many UK- and EU-based investment management companies that are subject to rules requiring production of UCITS KIID (Key-Investor-Information-Document) and PRIIPs KID … Continued

Do You Feel Confident Your Password Hasn’t Been Hacked?

As a cybersecurity consultant, I am often asked if some of the threats we industry practitioners talk about are overstated. Hyped up fear as a sales tactic. The simple answer is no. The fear is not overstated, and the risks all too real – which helps to explain why cyber remains a top priority for … Continued

SEC’s New Committee Begins Review of Form CRS Filings

The SEC’s Divisional Standards of Conduct Implementation Committee launched its review of Form CRS from a cross section of RIAs and BDs to assess compliance with the content and format requirements. Initial observations from the Committee have identified examples of relationship summaries that may lack certain disclosures or could be clearer or otherwise improved. The … Continued