Security researchers have uncovered serious vulnerabilities in Palo Alto Networks and SonicWall VPN clients that could allow attackers to execute malicious code on Windows and macOS systems.
The newly discovered flaws target the trust relationship between VPN clients and servers. Malicious actors could set up fake VPN servers to manipulate client behavior and gain elevated system access. Researchers developed a proof-of-concept tool called NachoVPN to demonstrate these attack scenarios.
Two major vulnerabilities were identified:
- A certificate validation flaw in Palo Alto Networks GlobalProtect (CVE-2024-5921) that enables connections to unauthorized servers and malware deployment
- A code execution vulnerability in SonicWall SMA100 NetExtender (CVE-2024-29014) that could be triggered during client updates
For GlobalProtect, attackers need local non-admin access or subnet presence to install malicious certificates and software. This could lead to credential theft and privilege escalation.
The NetExtender flaw allows attackers to trick users into connecting to rogue VPN servers through malicious websites or documents. The server can then push fake updates signed with stolen certificates to gain system-level access.
While no active exploitation has been observed, both vendors have released patches to address these security gaps. Users of affected VPN clients should update their software immediately.
The findings highlight how VPN solutions, typically used for security, can become attack vectors when containing unpatched vulnerabilities. Organizations relying on these VPN clients should prioritize regular security updates to protect their systems.