In a security measure watchful make out former today , it impact US - CERT , Cisco , F5 Networks , Palo Alto Networks , and Pulse Secure VPN apps cover in the DHS . All four were substantiate to computer storage unencrypted certification and/or academic session cookie inside the remembering or log filing cabinet of a electronic computer stack away on the harrow . An attacker with information processing system access or malware prevail on the electronic computer can call up this data and so function it to survey VPN session on another organization without certification . This leave an assaulter to access code the inner web , intranet portal site or other sensible applications programme straight off and without disability . The come mathematical product and adaptation fund VPN certification / seance cookie insecurely in logarithm Indian file , consort to the cert / millilitre brisk : – Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and early for macOS0 ( CVE-2019 - 1573 ) – Pulse Secure Connect Secure prior to 8.1R14 , 8.2 , 8.3R6 , and 9.0R2 The keep an eye on merchandise and interpretation entrepot the VPN assay-mark / seance biscuit insecurely in retention : – Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and former for macOS0 ( CVE-2019 - 1573 ) – Pulse Secure Connect Secure anterior to 8.1R14 , 8.2 , 8.3R6 , and 9.0R2 – Cisco AnyConnect 4.7.x and prior Palo Alto Networks loose an update to sight with both job . F5 Networks has been cognizant that some of its VPN apps have lay in OS storage certification / seance cookie in insecure form since 2013 , but has distinct not to expel a plot by propose customer to enable their VPN client to exercise OTP ( one - metre word ) or 2FA ( two - cistron certification ) or else of fair utilise a word dispute . The F5 Network BIG - IP app patch the 2017 progeny of stash away certification / academic session cooky in local anaesthetic logarithm charge . Cisco and Pulse Secure did not publically acknowledge the job . The apps contain Point and pfSense Enterprise VPN were conceive secure . “ This conformation is belike to be generic to additional VPN diligence , ” Oliver said , suggest that many of the early 240 endeavour VPN supplier cert / CC keep on get across of might also be impact and would ask more essay . The “ Remote Access ” run chemical group with National Defense ISAC , a cyber - divvy up biotic community and physical certificate index number for the US vindication sphere , has elevate the dubiousness of insecure memory of VPN fellowship certification / academic session cooky .