An attacker with figurer entree or malware running game on the estimator can regain this info and so employment it to resume VPN sitting on another system without certification . and in the first place for macOS0 ( CVE-2019 - 1573 ) – Pulse Secure Connect Secure prior to 8.1R14 , 8.2 , 8.3R6 , and 9.0R2 The pursual intersection and interpretation storehouse the VPN authentication / sitting cooky insecurely in retentiveness : – Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and former for macOS0 ( CVE-2019 - 1573 ) – Pulse Secure Connect Secure prior to 8.1R14 , 8.2 , 8.3R6 , and 9.0R2 – Cisco AnyConnect 4.7.x and prior Palo Alto Networks exhaust an update to hand with both trouble . “ This conformation is probably to be generic to extra VPN practical application , ” Oliver say , intimate that many of the other 240 enterprisingness VPN provider cert / CC sustenance lead of might likewise be affected and would call for More quiz . ml rattling : – Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 The F5 Network BIG - IP app spotty the 2017 event of hive away certification / academic session biscuit in topical anaesthetic lumber data file . The succeed merchandise and interpretation store VPN hallmark / academic term biscuit insecurely in log lodge , allot to the cert / The “ Remote Access ” operate grouping with National Defense ISAC , a cyber - partake biotic community and strong-arm security measures indicator for the US Department of Defense sphere , has provoke the oppugn of unsafe memory board of VPN companion authentication / seance biscuit . All four were corroborate to entrepot unencrypted certification and/or academic session cooky inside the store or log charge of a calculator store on the platter . This leave an assaulter to accession the national electronic network , intranet portal or other sore lotion now and without impairment . In a security measure awake come forth earlier today , it feign US - CERT , Cisco , F5 Networks , Palo Alto Networks , and Pulse Secure VPN apps report in the DHS . The apps break Point and pfSense Enterprise VPN were deliberate dependable . F5 Networks has been cognizant that some of its VPN apps have stack away OS storage assay-mark / academic term cookie in unsafe take form since 2013 , but has resolve not to handout a eyepatch by apprise client to enable their VPN customer to economic consumption OTP ( one - sentence parole ) or 2FA ( two - agent hallmark ) alternatively of but practice a parole challenge . Cisco and Pulse Secure did not publically admit the job .