Serious Security Flaw Discovered in Three Widely Used VPNs – Update Now!

Virtual Private Networks (“VPNs”) are a secure way for employees to access firm files remotely, whether working from a home office or while travelling. They work by creating an encrypted connection from a laptop or PC to a firm’s server and allowing users to securely access and transfer files while out of the office.

Access to a VPN is typically gained by entering credentials and verifying your identity with an additional step, usually a multi-digit code or authorization through a pre-configured app.

According to two security researchers, a serious flaw was “accidently” discovered recently, which could allow hackers access to firm networks without requiring any credentials at all. “We could compromise the VPN server and corporate intranet with no authentication required, compromise all the VPN clients, and steal all secrets from the victims.” Devcore researcher Orange Tsai told TechCrunch.

In effect, they could have unfettered access to all your firm’s information – that includes data that is personal, proprietary and confidential!

According to technology news site TheInquirer.net, three major VPN providers are affected:

  • FortiGate’s FortiOS
    Versions 5.6.3 to 5.6.7, 6.0.0 to 6.0.4
    Note: This vulnerability is only present if SSL VPN (web- or tunnel-mode) is enabled.
    FortiGate has released updates and provides more information about this vulnerability here.NIST has also released a Common Vulnerabilities and Exposures (“CVE”) specific to the FortiOS vulnerability. Info about CVE-2018-13379 can be found here.
  • Palo Alto Networks’ Global Protect Portal and GlobalProtect Gateway interfaces
    GlobalProtect Portal/Gateway Interface (PAN-SA-2019-0020), PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier releases. PAN-OS 9.0 is not affected.
    Palo Alto Networks has released updates and provides more information about this vulnerability here.NIST has also released a CVE specific to the Palo Alto vulnerability. Info about CVE-2019-1579 can be found here.
  • Pulse Secure
    Pulse Connect Secure and Pulse Policy Secure products were affected. The company released patches in April 2019 to remedy this vulnerability. If you use either of these products ensure all updates have been installed, especially the patches released by the company in April. Pulse Secure security advisories can be found here.

If your firm allows employees to work remotely and uses VPN software to accomplish this, be sure to ask your IT vendor whether the products mentioned above are in use at your firm; if so, ensure they install the necessary updates immediately!


For more cybersecurity help, here are some helpful resources:

Ask us how we can help tailor a package to meet your needs. Fill out our form here and receive our free checklist for evaluating policies for cyber insurance coverage.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

As Form CRS Compliance Date Nears, Approaches to Meet Challenge Coming Into Focus

Form CRS, the sleeping giant, awakens! Investment advisers and broker dealers are turning their attention to planning for Form CRS, training and developing procedures to implement the SEC’s new rule and related interpretive releases. CSS developed Form CRS Automator, a software tool, to streamline the process. It allows teams to quickly produce compliant and accurate … Continued

Key Takeaways from 2020 OCIE Exam Priorities

On January 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued its exam priorities for 2020 and reiterated its focus on protecting retail investors, particularly seniors and those saving for retirement. Here are some key takeaways from the exam priorities: Retail Investors OCIE will continue to focus on recommendations and advice provided to … Continued