Recent vulnerabilities identified in legacy VPN systems such as Ivanti Pulse Secure and CISCO ASA have prompted various urgent advisories from CISA and DHS. It’s brought back into the limelight what has been a known problem for some time: anything that allows remote access into your business can become a tool for attackers if not carefully secured. It becomes critical to know what are the important security vulnerabilities with remote access technologies like VPN and RDP so that you can secure your organization while still enabling remote access.
Remote Access Isn’t Going Away
In the modern world, remote access tools are unavoidable. Unfortunately hackers like them as much as your remote workforce does. With the rise of work-from-home, the ubiquity of personal devices, and an increasingly complex and interconnected supply chain, remote access is here to stay. When federal agencies were given 48 hours to shut down their vulnerable Ivanti software there were serious impacts on productivity. Connectivity is critical in the modern world. The question is how to do remote access securely.
Legacy VPN Vulnerabilities and Government Directives
Recent advisories from US federal agencies have highlighted significant vulnerabilities in these traditional VPN solutions, including authentication bypasses, command injections, and other exploits that enable unauthorized access and lateral movement within networks. Legacy VPNs present significant security challenges by granting broad network access, which can inadvertently expose critical resources and create opportunities for cyber threats. They allow users and potentially compromised endpoints direct entry into sensitive networks, increasing the risk of data breaches.
Common Types of VPN Vulnerabilities and Risk Factors
Let’s go through some important vulnerabilities and highlight the biggest risks—and provide some advice for keeping networks secure.
Authentication Bypasses
Authentication bypasses allow an attacker to access a network without having to provide valid credentials. Ivanti VPN has had several authentication bypass vulnerabilities, including CVE-2023-46805, CVE-2019-11510 (before Pulse Secure was acquired by Ivanti in 2020), and CVE-2024-21887.
Cisco’s combined VPN and firewall offering (Cisco ASA) has been affected by various authentication bypass vulnerabilities, most recently CVE-2023-20247.
A more secure remote access solution should provide identity-driven access, ensuring authentication is verified before access is granted.
Compounding Risk Factors
Lateral Movement
Ivanti VPN is vulnerable because of network-centric designs, meaning that if the internal networks are compromised attackers can move laterally. CISCO ASA is susceptible if perimeter security is breached.
Prevent lateral movement by implementing identity-based segmentation to block unauthorized lateral movements.
Persistent Access and Webshell Installation
One thing that is particularly concerning is research showing that compromises involving various CVEs across different VPN services can result in long-term access, meaning that even if the access point is removed, bad actors may still maintain a foothold. MITRE lists webshells (MITRE tactic T1505.003 ) as a common tactic for maintaining access.
This warrants security solutions and architecture with continuous verification (including multi-factor authentication), eliminating all-or-nothing access and preventing persistence. To prevent persistence via webshells, ensure your remote access solution provides full visibility and control of remote sessions, mitigating webshell risks.
How to Protect Your Organization from Cyber Threats
The writing on the wall is that VPN solutions can increase attack surface and expose your organization to unacceptable risks. To learn more about how remote access can be provided in a more secure way, learn about identity-based approaches to remote access.
