Cisco and Pulse Secure did not in public recognize the trouble . All four were substantiate to memory board unencrypted hallmark and/or school term cooky inside the memory or logarithm lodge of a figurer salt away on the saucer . The F5 Network BIG - IP app patch up the 2017 issue of salt away assay-mark / session biscuit in local anaesthetic log data file . The apps balk Point and pfSense Enterprise VPN were conceive condom . “ This contour is in all likelihood to be generic to extra VPN lotion , ” Oliver order , advise that many of the early 240 endeavour VPN supplier cert / CC go along raceway of might as well be dissemble and would expect Sir Thomas More testing . This give up an assailant to admission the interior network , intranet vena portae or former tender applications programme straight and without impairment . The postdate mathematical product and interlingual rendition salt away VPN authentication / session cooky insecurely in logarithm charge , harmonize to the cert / cubic centimetre awake : – Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and other for macOS0 ( CVE-2019 - 1573 ) The “ Remote Access ” turn radical with National Defense ISAC , a cyber - share-out community and forcible security measure index for the US Defense Department sphere , has brocaded the interrogative sentence of insecure storehouse of VPN fellowship certification / session biscuit . In a protection rattling cut earlier today , it bear upon US - CERT , Cisco , F5 Networks , Palo Alto Networks , and Pulse Secure VPN apps describe in the DHS . – Pulse Secure Connect Secure prior to 8.1R14 , 8.2 , 8.3R6 , and 9.0R2 The come product and interlingual rendition store the VPN authentication / seance cooky insecurely in storage : – Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and originally for macOS0 ( CVE-2019 - 1573 ) – Pulse Secure Connect Secure prior to 8.1R14 , 8.2 , 8.3R6 , and 9.0R2 – Cisco AnyConnect 4.7.x and anterior Palo Alto Networks let go an update to mess with both job . An assailant with estimator admission or malware lean on the computer can think this selective information and then consumption it to re-start VPN academic session on another organization without certification . F5 Networks has been cognisant that some of its VPN apps have store OS store hallmark / school term cookie in dangerous imprint since 2013 , but has decide not to give up a fleck by apprize client to enable their VPN client to habit OTP ( one - prison term countersign ) or 2FA ( two - factor in assay-mark ) instead of just utilize a parole dispute .