Skip to main content
banner image
venafi logo

Vulnerable VPNs Subject to Cyber Warfare Attacks. Are Your Encrypted Tunnels Safe?

Vulnerable VPNs Subject to Cyber Warfare Attacks. Are Your Encrypted Tunnels Safe?

image of a hand hovering above a smartphone screen, about to switch the VPN on
October 22, 2019 | Guest Blogger: Kim Crawley

I strongly encourage everyone to use a VPN

when they access the internet. It doesn’t matter if you’re a big corporate network, or an individual consumer watching YouTube on your phone. If you use unencrypted TCP/IP protocols, transmitting cleartext gives cyber attackers an easy way to hijack your phone, tablet or PC. Even if you do use encrypted protocols, using a VPN still gives you an extra layer of encryption so that your sensitive financial and personal data are more secure.

But just like with TLS certificates and the HTTPS web protocol, your VPN encryption is only as secure as its implementation. If your encryption is improperly implemented, it’s useless. It’s like having an extra strong lock on your door, but an easily breakable window is next to it and it’s large enough for an adult to crawl through.

Cyber attackers will often try to find ways to bypass encryption rather than try to crack the cipher itself. And quite frequently, they’re successful. Advanced Persistent Threat (APT) groups have been caught exploiting vulnerabilities in a few popular VPN services. The danger is so serious that both the US National Security Agency (NSA) and the UK National Cyber Security Centre (NCSC) are trying to warn as many people as they can about it.



The vulnerabilities affect Pulse Secure, Palo Alto GlobalProtect and Fortinet Fortigate. The specific versions of the VPNs that are vulnerable include:

  • Pulse Connect Secure 9.0RX
  • Pulse Connect  Secure 8.3RX
  • Pulse Connect  Secure 8.2RX
  • Pulse Connect  Secure 8.1RX
  • Pulse Policy Secure 9.0RX
  • Pulse Policy Secure 5.4RX
  • Pulse Policy Secure 5.3RX
  • Pulse Policy Secure 5.2RX
  • Pulse Policy Secure 5.1RX
  • Palo Alto GlobalProtect SSL VPN 7.1.x < 7.1.19
  • Palo Alto GlobalProtect SSL VPN 8.0.x < 8.0.12
  • Palo Alto GlobalProtect SSL VPN 8.1.x < 8.1.3
  • Fortinet FortiOS 6.0.0 to 6.0.4
  • Fortinet FortiOS 5.6.3 to 5.6.7

From the NCSC’s alert:

“The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse Secure, Fortinet and Palo Alto.

This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business and healthcare. These vulnerabilities are well documented in open source, and industry data indicates that hundreds of UK hosts may be vulnerable. 

Vulnerabilities exist in several SSL VPN products which allow an attacker to retrieve arbitrary files, including those containing authentication credentials.

An attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure.

Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell.”

Two of the vulnerabilities, CVE-2019-11539, and CVE-2019-1579, are remote execution bugs which affect Pulse Secure's Pulse Connect Secure and Pulse Policy Secure, and Palo Alto GlobalProtect VPN. The first vulnerability affects the admin web interface and it “allows an authenticated attacker to inject and execute commands.” The latter “may allow an unauthenticated remote attacker to execute arbitrary code” if the GlobalProtect Portal or GlobalProtect Gateway Interface is enabled.

Another two of the vulnerabilities, CVE-2019-11510 and CVE-2018-13379, allow for pre-authentication arbitrary file reading. The first allows for an unauthenticated remote attacker to “send a specially crafted URI to perform an arbitrary file reading vulnerability,” and the second allows "unauthenticated attacker to download system files via special crafted HTTP resource requests" through Fortinet's web portal.

And finally, there’s CVE-2018-13382 and CVE-2018-13383. The first pertains to Fortinet’s web portal and “allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests. “The second also pertains to Fortinet’s web portal and “may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.”

What are the worst things that can happen in encrypted tunnels? Read the white paper.


Cyber warfare and their related APTs are a serious, ongoing threat that I expect to only get worse as the years go on. They can acquire sensitive financial data, compromise internal enterprise networks, or even shut down power grids and other industrial facilities. It's more important than ever to patch all of your software so vulnerabilities don't sit around waiting to be exploited.

If your organization uses Pulse, Palo Alto, or Fortinet VPNs, you must install their latest patches as soon as possible. All of the vulnerabilities I’ve mentioned now have patches available. And if you use any other VPNs, make sure those are patched too.

Vendors work hard to develop patches when they’re aware that vulnerabilities exist. But all of their hard work won’t help your organization if you don’t install their patches. So update all of your VPN software! You might just be averting a disaster in the making.


Related posts


Like this blog? We think you will love this.
TCP fast open and TLS handshake
Featured Blog

Does TCP Fast Open Improve TLS handshakes?

What is TCP Fast Open?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more