| ⓘ Your system could be at risk of being affected by several CVEs targeting SSL VPNs. |
CIRT-BS is advising that unpatched VPN devices are being actively scanned for vulnerabilities. These include many widely used brands detailed below. The attacks are using previously breached credentials and brute force to bypass weak or misconfigured MFA to access devices and/or deploy ransomware.
Advisory Overview
|
| Advisory Type |
Technical |
| Author |
Jarrod Thompson and Marcus Knowles |
| Date |
27 March 2025 |
What’s Happening
|
| Affected Systems |
Some commonly affectedly systems and their relevant CVEs are included below.
- CVE-2018-13379: Fortinet FortiGate – Path traversal flaw exposing credentials
- CVE-2019-11510: Pulse Secure – Unauthorised file access storing passwords
- CVE-2020-12812: Fortinet FortiOS – 2FA bypass under specific conditions
- CVE-2020-5902: F5 BIG-IP – Remote code execution
- CVE-2021-22986: F5 – Unauthenticated remote command execution
- CVE-2022-40684: Fortinet – Authentication bypass
- CVE-2022-26134: Atlassian Confluence – Frequently chained in VPN exploits
- CVE-2023-27997: Fortinet – Heap buffer overflow, pre-auth RCE
- CVE-2023-3519: Citrix ADC — Unauthenticated remote code execution
- CVE-2023-27532: Veeam Backup — Missing authentication for critical function
|
| What this Means |
Attackers can access your systems without authentication and access sensitive information using stolen VPN credentials, unpatched systems, and weak password policies. They may steal data or deploy ransomware. These attacks may come from several criminal organisations. Some prominent groups include Seashell Blizzard, RansomHub, and Akira. |
What to Look For
|
| Signs You May Be at Risk |
You may be at risk to be affected by this vulnerability if your organisation has weak password policies that allow several login attempts or a wide range of VPN access, globally. |
| Signs You May Be Affected |
You may be affected by this vulnerability if you are observing any of the following:
- unusual login activity outside of business hours or from foreign IP addresses;
- sudden credential lockouts or unauthorised password changes;
- strange encrypted files;
- access to administrative panels from unknown endpoints; or
- unrecognised VPN client software or IP addresses.
|
What to Do
|
| Prevention |
To help prevent this vulnerability from impacting your organisation, take the steps outlined below.
- Patch All VPN Systems Immediately
- Reset All VPN User Credentials
- Implement and test MFA
- Segment critical systems.
- Monitor VPN logs and alerts.
- Use https://haveibeenpwned.com to check whether credentials have been exposed and immediately change any that are compromised.
- Raise awareness across your organisation.
- Establish an incident response plan.
- Restrict VPN access to relevant geographic locations.
- Block known malicious IP addresses.
- Set reasonable login attempt limits for a specific time window.
|
| Mitigation |
If you believe this vulnerability is already impacting you, take the steps outlined below (not in any particular order).
- Patch SSL VPN software.
- Reset all VPN passwords.
- Confirm MFA implementation.
- Review logs and block suspicious access.
- Notify all users and enforce password hygiene.
- Report the issues to CIRT-BS at [email protected].
|
Official Information
|
-
- https://www.fortiguard.com/psirt
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomhub
- https://www.cirt.bs/new-advisory-critical-vulnerability-found-in-remote-access-vpns
- https://www.cirt.bs/understanding-akira-ransomware-and-ransomware-trends-a-comprehensive-analysis/
- https://www.cirt.bs/akira-ransomware-exploits-critical-vulnerabilities-in-esxi-vmware-and-vpns/
|
Should you require additional information or further support, submit a report on our website or contact us at [email protected]. |
