Recently, Nation-state attackers targeted vulnerable VPN servers. Vulnerabilities in VPNs of renowned global brands were exploited in these campaigns. The vulnerabilities continue to be exploited by Advanced Persistent Threat groups on a mass scale.
In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This includes access to databases that the VPN server uses to track sessions, cleartext credentials, and NTLM hashes.
It should be noted that 2FA will not prevent an attacker from hijacking a valid authenticated session. Moreover, credentials stored on these databases must immediately be changed as the attackers are actively leveraging credentials to attempt to connect to other resources that may not require 2FA.
Read more on ‘How VPNs can be exploited by attackers’.
Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1
8.3 before 8.3R7.1
9.0 before 9.0R3.4