Passwords & MFA Melting VPNs


Nikhil Bhansi

April 27, 2021

Passwords & MFA Melting VPNs

The VPN Meltdown

Throughout the March & April month, Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agent (CISA)  has reported numerous  incidents where old vulnerabilities in popular VPNs were exploited by organized (or state sponsored)   hackers, around the world.

Large numbers of malware families & malicious actors across the globe are on the spree of exploiting the old unpatched vulnerabilities in Fortinet as well as Zero-day in Pulse Secure VPN. 

The victims of the attacks are include sensitive segments like government agencies, Defense contractors & financial institutions amongst many others

The Impact

Digital Journal quoted Vinay Sridhara, CTO of Balbix Inc.,  “About 50,000 records belonging to banks, telecoms and government organizations were exposed by this data leak, including session-related information and plain-text usernames and passwords of Fortinet VPN users. 

“What’s most concerning is that even if the vulnerability is patched, the credentials are still at risk for credential stuffing attacks,” he added.

People shifting to remote working has  increased the demand for SSL VPNs, also the attack surface + available targets for APT groups and cybercriminals. 

Credential Compromise

The passwords form both the VPNs Fortigate and Pulse Secure are being compromised using different CVEs.

Many unpatched vulnerabilities form the recent past have allowed an unauthenticated attackers to compromise a vulnerable VPN server. The attacker able to gain access to all active users and their plain-text credentials. 

Attackers could also execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Affected VPNCVE IDDescriptionImpact
CVE-2019-5591Configuration vulnerability may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server, as default configuration does not verify the LDAP server Identity.Information Disclosure(password files & private keys)
CVE-2019-11510arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable  Pulse Secure VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commandsAccess to passwords
Vulnerabilities giving access to VPN credentials

2FA/MFA Bypass

Its common recommendation & best practice to have 2FA or MFA along with passwords for VPN. Its generally believed that if for some reasons passwords are compromised the VPNs are still safe due to additional factors.

But during these attacks, we have seen that both the VPNs also suffer MFA/2FA bypass vulnerabilities.  This makes the commonly followed best practice and recommendation of having 2FA/MFA pointless. 

Affected VPN CVE IDDescriptionImpact
CVE-2020-12812Improper Authentication vulnerability in SSL VPN 2FA in FortiOS, results in a user to log successfully without being prompted for the 2FA (FortiToken) if they changed the case of their username.Operational Risk, Improper Authentication2FA/MFA Bypass
SlowPulse Malware familySecrete Backdoor access allows hackers to disable or bypass 2FA/MA verificationBypassing single & multi-factor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells
Vulnerabilities allowing to bypass 2FA/MFA


Passwords are by far the weakest link when it comes to security today. Successful attacks involve lost, breached or re-used passwords and we have seen that 2FA/MFA are of no help. 

You cannot avoid the patch but you can definitely avoid passwords & the 2FA/MFA solutions and go passwordless with much more ease and convenience.

Today, the smartest & the most secure way to sign In on any VPN or enterprise applications is by going completely passwordless.

With PureAuth passwordless authentication, you can effectively mitigate the risk of having your password stolen by phishing and a number of other methods.

The usernames and passwords dumped (ab)using CVE2018- are being used to get access to the network even after the vulnerability is patched. VPNs being the first line of defense for any enterprise, do not leave it at the mercy of 2FA/MFA which can be easily bypassed. Go passwordless with PureID. Stolen passwords won’t affect you if there are no passwords.

You can check out our integrations for other popular VPNs PaloAlto, OpenVPN.


Share this article    

Connect with Us!

Subscribe to receive new blog post from PureID in your mail box