Vpn

Threat actors exploited CVE-2024-12802, a vulnerability in SonicWall Gen6 SSL-VPN appliances, to bypass multi-factor authentication (MFA) after brute-forcing VPN credentials, leading to the deployment of ransomware-related tools.

An authentication bypass vulnerability exists in Palo Alto Networks PAN-OS GlobalProtect portal and gateway (CVE-2026-0257) when authentication override cookies are enabled, allowing an attacker to establish an unauthorized VPN connection.

CVE-2026-0249 describes multiple improper certificate validation vulnerabilities in the Palo Alto Networks GlobalProtect app that could allow an attacker to intercept encrypted communications and potentially compromise the endpoint, especially on macOS, Android, and ChromeOS.

CVE-2026-0248 is an improper certificate validation vulnerability in Prisma Access Agent for Android and Chrome OS, enabling a man-in-the-middle (MitM) attack to intercept VPN traffic and capture sensitive device information by presenting a certificate issued by a trusted Certificate Authority.

A remote, anonymous attacker can exploit multiple vulnerabilities in strongSwan to conduct a denial-of-service attack or potentially achieve arbitrary code execution.

This rule detects the initial use of AWS discovery APIs from VPN-associated ASNs by a previously unseen identity, indicating potential reconnaissance activity.

A critical authentication bypass vulnerability exists in openvpn-auth-oauth2 versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode; clients that do not support WebAuth/SSO are incorrectly granted VPN access without completing OIDC authentication.

Synology SSL VPN Client before 1.4.5-0684 stores passwords in plaintext, allowing remote attackers to potentially access or manipulate user PIN codes, leading to unauthorized VPN configuration and traffic interception.

IDS alerts indicate a potential exploitation attempt against a Fortigate VPN server using CVE-2023-27997, characterized by repeated GET requests to the /remote/logincheck endpoint originating from a specific IPv6 address.

Multiple IDS alerts indicate potential exploitation attempts against Fortigate VPN servers using CVE-2023-27997, alongside traffic from a suspicious user agent, possibly indicating reconnaissance or exploit activity.

The Flax Typhoon group uses SoftEther VPN, masquerading the VPN client as legitimate Windows binaries like conhost.exe and dllhost.exe, to obfuscate their network activity within compromised Taiwanese organizations.