{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/vpn/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Amazon Web Services"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","discovery","vpn"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies the first-time occurrence of an IAM principal invoking discovery APIs from a source IP address associated with a known VPN autonomous system number (ASN). The rule focuses on high-signal discovery actions, such as credential checks, account enumeration, bucket inventory, compute inventory, and logging introspection within AWS CloudTrail logs. The goal is to detect potential reconnaissance activities originating from anonymizing networks, which may indicate malicious intent. The rule specifically omits broad \u003ccode\u003eList*\u003c/code\u003e and \u003ccode\u003eDescribe*\u003c/code\u003e patterns to reduce false positives, focusing instead on a curated list of ASNs commonly associated with VPN providers and hosting services. It\u0026rsquo;s important to validate ASN data using local intelligence and tailor the \u003ccode\u003eevent.action\u003c/code\u003e list based on your environment\u0026rsquo;s baseline. Hosting ASNs are dual-use and require careful monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to AWS credentials, possibly through compromised credentials or misconfigured IAM roles.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a VPN connection to mask their origin and evade geographic restrictions or monitoring. The VPN endpoint\u0026rsquo;s ASN belongs to a known VPN provider.\u003c/li\u003e\n\u003cli\u003eUsing the compromised credentials and VPN connection, the attacker calls the AWS API to execute \u003ccode\u003eGetCallerIdentity\u003c/code\u003e to validate access.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates IAM users and roles using \u003ccode\u003eListUsers\u003c/code\u003e and \u003ccode\u003eListRoles\u003c/code\u003e to map out the AWS environment\u0026rsquo;s identity landscape.\u003c/li\u003e\n\u003cli\u003eThe attacker inventories S3 buckets using \u003ccode\u003eListBuckets\u003c/code\u003e to identify potential targets for data exfiltration or manipulation.\u003c/li\u003e\n\u003cli\u003eThe attacker gathers information about EC2 instances, VPCs, and security groups using \u003ccode\u003eDescribeInstances\u003c/code\u003e, \u003ccode\u003eDescribeVpcs\u003c/code\u003e, and \u003ccode\u003eDescribeSecurityGroups\u003c/code\u003e to understand the network infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker lists available Lambda functions using \u003ccode\u003eListFunctions\u003c/code\u003e to discover potential code execution opportunities.\u003c/li\u003e\n\u003cli\u003eThe attacker collects logging configurations by calling \u003ccode\u003eDescribeTrails\u003c/code\u003e to identify logging gaps.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging these discovery techniques can lead to unauthorized access to sensitive data, privilege escalation, and lateral movement within the AWS environment. By mapping out the cloud infrastructure, attackers can identify vulnerabilities and misconfigurations to exploit. Compromised AWS environments can result in data breaches, service disruptions, and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Discovery API Calls from VPN ASN by New Identity\u003c/code\u003e to detect anomalous discovery activity originating from VPN ASNs.\u003c/li\u003e\n\u003cli\u003eReview the curated list of VPN-oriented ASNs within the rule query and update it with local intelligence from sources like RIPE, BGPView, or PeeringDB.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logs to capture the necessary event data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eTune the Sigma rule\u0026rsquo;s \u003ccode\u003eevent.action\u003c/code\u003e filter to include additional discovery-related API calls relevant to your environment, based on baseline analysis.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by examining \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e, \u003ccode\u003eevent.action\u003c/code\u003e, \u003ccode\u003eevent.provider\u003c/code\u003e, \u003ccode\u003esource.ip\u003c/code\u003e, and \u003ccode\u003esource.as.organization.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement automated response actions, such as revoking sessions or rotating keys, when unexpected discovery activity is detected from VPN ASNs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T20:57:28Z","date_published":"2026-05-01T20:57:28Z","id":"/briefs/2024-01-aws-vpn-discovery/","summary":"This rule detects the initial use of AWS discovery APIs from VPN-associated ASNs by a previously unseen identity, indicating potential reconnaissance activity.","title":"AWS Discovery API Calls from VPN ASN by New Identity","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-vpn-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openvpn-auth-oauth2"],"_cs_severities":["critical"],"_cs_tags":["openvpn","authentication-bypass","vpn"],"_cs_type":"advisory","_cs_vendors":["jkroepke"],"content_html":"\u003cp\u003eOpenVPN-auth-oauth2, a plugin for OpenVPN, is susceptible to an authentication bypass vulnerability in versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode. This flaw allows unauthenticated VPN access for clients that do not support WebAuth/SSO. Specifically, standard OpenVPN clients like the Linux CLI \u003ccode\u003eopenvpn\u003c/code\u003e, which do not advertise WebAuth/SSO support (\u003ccode\u003eIV_SSO=webauth\u003c/code\u003e), can bypass OIDC authentication and gain full network access. The default management-interface mode is not affected. Successful exploitation grants unauthorized access to the internal network behind the VPN. This vulnerability is addressed in version 1.27.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenVPN server running openvpn-auth-oauth2 in experimental plugin mode (versions 1.26.3 - 1.27.2).\u003c/li\u003e\n\u003cli\u003eAttacker uses a standard OpenVPN client (e.g., Linux \u003ccode\u003eopenvpn\u003c/code\u003e CLI) that does not support WebAuth/SSO.\u003c/li\u003e\n\u003cli\u003eThe client initiates a connection to the OpenVPN server, bypassing the expected WebAuth/SSO flow.\u003c/li\u003e\n\u003cli\u003eThe openvpn-auth-oauth2 plugin attempts to deny the client by writing \u0026ldquo;0\u0026rdquo; to the \u003ccode\u003eauth_control_file\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe plugin incorrectly returns \u003ccode\u003eOPENVPN_PLUGIN_FUNC_SUCCESS\u003c/code\u003e to the OpenVPN server.\u003c/li\u003e\n\u003cli\u003eOpenVPN interprets the \u003ccode\u003eFUNC_SUCCESS\u003c/code\u003e return code as successful authentication, ignoring the \u0026ldquo;0\u0026rdquo; in the \u003ccode\u003eauth_control_file\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe OpenVPN server grants the unauthenticated client full access to the internal network behind the VPN.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to internal resources and performs malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthenticated attackers full access to the internal network behind the OpenVPN server. This could lead to data breaches, lateral movement within the network, and potential compromise of sensitive systems. The vulnerability affects any deployment using the experimental plugin mode with vulnerable versions. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to openvpn-auth-oauth2 version 1.27.3 to apply the fix described in commit \u003ca href=\"https://github.com/jkroepke/openvpn-auth-oauth2/commit/36f69a6c67c1054da7cbfa04ced3f0555127c8f2\"\u003e\u003ccode\u003e36f69a6\u003c/code\u003e\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not feasible, switch to the standalone management client mode (the default, non-plugin deployment) as a workaround.\u003c/li\u003e\n\u003cli\u003eMonitor OpenVPN server logs for connection attempts from clients that do not support WebAuth/SSO (identified by missing \u003ccode\u003eIV_SSO=webauth\u003c/code\u003e in the logs) and correlate with network access activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T14:29:22Z","date_published":"2026-04-22T14:29:22Z","id":"/briefs/2026-04-openvpn-auth-bypass/","summary":"A critical authentication bypass vulnerability exists in openvpn-auth-oauth2 versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode; clients that do not support WebAuth/SSO are incorrectly granted VPN access without completing OIDC authentication.","title":"OpenVPN-auth-oauth2 Authentication Bypass in Plugin Mode","url":"https://feed.craftedsignal.io/briefs/2026-04-openvpn-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2021-47961"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["plaintext-password","vpn","synology"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2021-47961 describes a vulnerability in Synology SSL VPN Client versions prior to 1.4.5-0684. The client software stores user passwords in plaintext, creating a security risk. An attacker with access to the system or the client\u0026rsquo;s configuration files could potentially retrieve these passwords and use them to manipulate the VPN configuration. Successful exploitation of this vulnerability can lead to unauthorized access to the VPN, as well as the potential interception and monitoring of VPN traffic. This is particularly concerning for organizations relying on secure VPN connections for remote access and data transmission. This vulnerability was disclosed on April 10, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to the targeted system, either through physical access or remote access methods.\u003c/li\u003e\n\u003cli\u003eAttacker locates the Synology SSL VPN Client configuration file(s) on the compromised system.\u003c/li\u003e\n\u003cli\u003eAttacker opens the configuration file and retrieves the plaintext password stored within.\u003c/li\u003e\n\u003cli\u003eAttacker uses the retrieved password to access or modify the user\u0026rsquo;s PIN code within the VPN client.\u003c/li\u003e\n\u003cli\u003eAttacker reconfigures the VPN client settings, potentially redirecting traffic through a malicious server.\u003c/li\u003e\n\u003cli\u003eUser connects to the VPN using the modified configuration.\u003c/li\u003e\n\u003cli\u003eAll VPN traffic from the user\u0026rsquo;s machine is now routed through the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eAttacker intercepts and monitors the user\u0026rsquo;s VPN traffic, gaining access to sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-47961 allows attackers to gain unauthorized access to sensitive data transmitted through the VPN connection. The number of victims is dependent on the number of deployments using the vulnerable Synology SSL VPN client version prior to 1.4.5-0684. Sectors utilizing Synology SSL VPN clients for remote access are particularly at risk. A successful attack can lead to data breaches, intellectual property theft, and potential compromise of internal systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Synology SSL VPN Client to version 1.4.5-0684 or later to patch CVE-2021-47961.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Synology VPN Client Configuration File Access\u0026rdquo; to detect unauthorized access to configuration files.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual VPN connection patterns indicative of traffic redirection, using existing network monitoring tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T10:16:03Z","date_published":"2026-04-10T10:16:03Z","id":"/briefs/2026-04-synology-vpn-vuln/","summary":"Synology SSL VPN Client before 1.4.5-0684 stores passwords in plaintext, allowing remote attackers to potentially access or manipulate user PIN codes, leading to unauthorized VPN configuration and traffic interception.","title":"Synology SSL VPN Client Plaintext Password Storage Vulnerability (CVE-2021-47961)","url":"https://feed.craftedsignal.io/briefs/2026-04-synology-vpn-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["fortigate","vpn","cve-2023-27997","exploit","initial-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn February 28, 2026, network intrusion detection systems (IDS) flagged suspicious activity indicative of a potential exploit targeting Fortigate VPN servers. The activity involves a series of repeated GET requests directed towards the \u003ccode\u003e/remote/logincheck\u003c/code\u003e endpoint, a known attack vector associated with CVE-2023-27997. This vulnerability allows unauthenticated attackers to execute arbitrary code via specially crafted requests. The observed traffic originates from the IPv6 address…\u003c/p\u003e\n","date_modified":"2026-02-28T00:46:45Z","date_published":"2026-02-28T00:46:45Z","id":"/briefs/2026-02-fortigate-vpn-cve-2023-27997/","summary":"IDS alerts indicate a potential exploitation attempt against a Fortigate VPN server using CVE-2023-27997, characterized by repeated GET requests to the /remote/logincheck endpoint originating from a specific IPv6 address.","title":"Fortigate VPN CVE-2023-27997 Exploitation Attempt","url":"https://feed.craftedsignal.io/briefs/2026-02-fortigate-vpn-cve-2023-27997/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["fortigate","vpn","cve-2023-27997","exploit","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn February 26, 2026, network intrusion detection systems (IDS) triggered alerts related to potential exploitation attempts targeting Fortigate VPN servers. The alerts highlight suspicious network activity originating from multiple IP addresses, specifically repeated GET requests to the \u003ccode\u003e/remote/logincheck\u003c/code\u003e endpoint, a known vulnerability associated with CVE-2023-27997. This vulnerability could allow unauthorized access to the VPN. Additionally, an IPv4 address was observed using a suspicious…\u003c/p\u003e\n","date_modified":"2026-02-26T07:27:12Z","date_published":"2026-02-26T07:27:12Z","id":"/briefs/2026-02-fortigate-cve-2023-27997/","summary":"Multiple IDS alerts indicate potential exploitation attempts against Fortigate VPN servers using CVE-2023-27997, alongside traffic from a suspicious user agent, possibly indicating reconnaissance or exploit activity.","title":"Fortigate VPN Exploit Attempt via CVE-2023-27997 and Suspicious User-Agent","url":"https://feed.craftedsignal.io/briefs/2026-02-fortigate-cve-2023-27997/"}],"language":"en","title":"CraftedSignal Threat Feed — Vpn","version":"https://jsonfeed.org/version/1.1"}