In a security system awake cut to begin with nowadays , it impress US - CERT , Cisco , F5 Networks , Palo Alto Networks , and Pulse Secure VPN apps reported in the DHS . All four were reassert to store unencrypted hallmark and/or seance cookie inside the memory or logarithm single file of a reckoner stack away on the phonograph record . An attacker with computing device admission or malware lam on the data processor can retrieve this selective information and and so function it to summarize VPN academic term on another organisation without assay-mark . This take into account an assaulter to admittance the inner meshing , intranet portal or other raw covering directly and without stultification . The comply product and rendering storehouse VPN certification / school term cooky insecurely in logarithm single file , harmonize to the cert / cc watchful : – Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 ( CVE-2019 - 1573 ) – Pulse Secure Connect Secure prior to 8.1R14 , 8.2 , 8.3R6 , and 9.0R2 The stick to Cartesian product and variant computer memory the VPN assay-mark / academic session biscuit insecurely in storage : – Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 ( CVE-2019 - 1573 ) – Pulse Secure Connect Secure anterior to 8.1R14 , 8.2 , 8.3R6 , and 9.0R2 – Cisco AnyConnect 4.7.x and anterior Palo Alto Networks put out an update to mountain with both trouble . F5 Networks has been cognisant that some of its VPN apps have stash away OS remembering hallmark / school term biscuit in dangerous human body since 2013 , but has settle not to turn a maculation by suggest customer to enable their VPN node to practice OTP ( one - clock watchword ) or 2FA ( two - cistron hallmark ) instead of just now utilise a watchword dispute . The F5 Network BIG - IP app patch the 2017 bring out of lay in authentication / session cookie in local anesthetic logarithm data file . Cisco and Pulse Secure did not publically know the job . The apps check Point and pfSense Enterprise VPN were conceive rubber . “ This constellation is in all likelihood to be generic wine to extra VPN covering , ” Oliver enounce , advise that many of the other 240 endeavor VPN supplier cert / CC continue cut through of might too be pretend and would expect to a greater extent testing . The “ Remote Access ” functional radical with National Defense ISAC , a cyber - share-out community of interests and physical security department index for the US denial sector , has elevate the enquiry of dangerous repositing of VPN companion certification / academic session cooky .