Serious Security Flaw Discovered in Three Widely Used VPNs – Update Now!

Virtual Private Networks (“VPNs”) are a secure way for employees to access firm files remotely, whether working from a home office or while travelling. They work by creating an encrypted connection from a laptop or PC to a firm’s server and allowing users to securely access and transfer files while out of the office.

Access to a VPN is typically gained by entering credentials and verifying your identity with an additional step, usually a multi-digit code or authorization through a pre-configured app.

According to two security researchers, a serious flaw was “accidently” discovered recently, which could allow hackers access to firm networks without requiring any credentials at all. “We could compromise the VPN server and corporate intranet with no authentication required, compromise all the VPN clients, and steal all secrets from the victims.” Devcore researcher Orange Tsai told TechCrunch.

In effect, they could have unfettered access to all your firm’s information – that includes data that is personal, proprietary and confidential!

According to technology news site TheInquirer.net, three major VPN providers are affected:

  • FortiGate’s FortiOS
    Versions 5.6.3 to 5.6.7, 6.0.0 to 6.0.4
    Note: This vulnerability is only present if SSL VPN (web- or tunnel-mode) is enabled.
    FortiGate has released updates and provides more information about this vulnerability here.NIST has also released a Common Vulnerabilities and Exposures (“CVE”) specific to the FortiOS vulnerability. Info about CVE-2018-13379 can be found here.
  • Palo Alto Networks’ Global Protect Portal and GlobalProtect Gateway interfaces
    GlobalProtect Portal/Gateway Interface (PAN-SA-2019-0020), PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier releases. PAN-OS 9.0 is not affected.
    Palo Alto Networks has released updates and provides more information about this vulnerability here.NIST has also released a CVE specific to the Palo Alto vulnerability. Info about CVE-2019-1579 can be found here.
  • Pulse Secure
    Pulse Connect Secure and Pulse Policy Secure products were affected. The company released patches in April 2019 to remedy this vulnerability. If you use either of these products ensure all updates have been installed, especially the patches released by the company in April. Pulse Secure security advisories can be found here.

If your firm allows employees to work remotely and uses VPN software to accomplish this, be sure to ask your IT vendor whether the products mentioned above are in use at your firm; if so, ensure they install the necessary updates immediately!


For more cybersecurity help, here are some helpful resources:

Ask us how we can help tailor a package to meet your needs. Fill out our form here and receive our free checklist for evaluating policies for cyber insurance coverage.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Texas Outlaws and a Silver Bullet: Position Limits in the USA

In this first installment on position limits, Regulatory Guidance expert Greg Hotaling surveys the current landscape of position limits imposed for U.S.-listed commodity derivative holdings, which can affect investment firms and other speculative investors regardless of where they are based. Stay tuned for coverage of EU position limits in the next edition. “Who shot J.R.?!” … Continued

FAQs From the Cyber Desk

Cybersecurity is a fast-moving target, so it is not uncommon for firms to have questions when it comes to assessing and understanding their cybersecurity risks. Here at CSS we receive a lot of cybersecurity questions, so we thought we would take the time to answer 10 of the most common Frequently Asked Questions. (1) What … Continued

EU Position Limits: Born in the USA?

This is the second installment of Regulatory Guidance Expert Greg Hotaling’s blog on position limits, this time addressing EU-listed commodity derivatives and related products.  As always, keep in mind that these limits can apply to asset managers, and other market participants, regardless of where they are based. In 2009, the European Union’s first comprehensive position … Continued