“ This contour is probably to be generic to additional VPN applications programme , ” Oliver aforesaid , suggest that many of the other 240 initiative VPN supplier cert / CC sustain cart track of might likewise be unnatural and would expect Thomas More essay . The F5 Network BIG - IP app patched the 2017 egress of lay in assay-mark / seance cookie in topical anesthetic lumber file . The pursue product and rendering put in VPN authentication / school term cookie insecurely in logarithm data file , harmonise to the cert / cc brisk : – Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and other for macOS0 ( CVE-2019 - 1573 ) – Pulse Secure Connect Secure prior to 8.1R14 , 8.2 , 8.3R6 , and 9.0R2 The surveil Cartesian product and version store the VPN assay-mark / seance cooky insecurely in retention : – Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 ( CVE-2019 - 1573 ) – Pulse Secure Connect Secure anterior to 8.1R14 , 8.2 , 8.3R6 , and 9.0R2 – Cisco AnyConnect 4.7.x and prior Palo Alto Networks give up an update to make do with both problem . Cisco and Pulse Secure did not in public recognise the trouble . F5 Networks has been mindful that some of its VPN apps have stack away OS retentivity authentication / academic session cooky in dangerous contour since 2013 , but has settle not to loss a temporary hookup by apprize client to enable their VPN customer to usance OTP ( one - clip countersign ) or 2FA ( two - factor in hallmark ) or else of only use a countersign challenge . This reserve an assailant to approach the inner network , intranet hepatic portal vein or other tender lotion instantly and without harm . The apps curb Point and pfSense Enterprise VPN were count safety . The “ Remote Access ” cultivate grouping with National Defense ISAC , a cyber - share residential area and forcible security measure indicant for the US defense mechanism sphere , has put up the interrogative sentence of insecure reposition of VPN company certification / sitting cooky . An attacker with reckoner admission or malware race on the computing machine can think this information and so habituate it to re-start VPN seance on another scheme without assay-mark . In a surety warning signal issue earlier now , it affect US - CERT , Cisco , F5 Networks , Palo Alto Networks , and Pulse Secure VPN apps cover in the DHS . All four were corroborate to computer storage unencrypted assay-mark and/or academic term cooky inside the store or lumber file cabinet of a data processor lay in on the disk .