As many VPN appliances, by their very nature exposed on the Internet, are subject to vulnerabilities<\/strong> and poor configuration<\/strong> (lack of MFA, legacy accounts, weak password policy, etc.), the challenge is to prevent threat actors from exploiting these flaws and, if they do, to prevent them from carrying out their attacks<\/strong>. It can be very complex due to number of factors: vulnerabilities being exploited well before publication, editors not releasing patches immediately, bypassing of these patches, lack of information related to the vulnerabilities, lack of monitoring of vulnerable devices, etc.<\/p>\n\n\n\n Besides, compromises of this nature do not only concern devices in production<\/strong> at the time vulnerabilities are published, but also all legacy devices that are often less or not monitored. For instance, when deploying a new instance, system updates must be applied as well as security patches. Otherwise, the new instance might be up-to-date but vulnerable.<\/p>\n\n\n\n We will present, in this paper, five cases encountered several times by CERT Intrinsec<\/strong>, during its incident response engagements, which highlight the weaknesses observed and potential solutions to prevent this type of situation.<\/p>\n\n\n\n CERT Intrinsec is a French incident response team that performs its operation mainly on the French sector. The team deals with about 50 major incidents per year<\/strong> and works to help its customers to recover from cyber-attacks and strengthen their security. Since 2017, CERT Intrinsec has responded to of hundreds of security breaches involving companies and public entities<\/strong>. The majority of those incidents are related to cybercrime and ransomware attacks with financial objectives, hence, CERT Intrinsec follows those groups activities and generates comprehensive intelligence from the field. ANSSI (French National Security Agency) granted CERT Intrinsec PRIS (State-Certified Security Incident Response Service Providers) certification<\/strong>. The latter testify that CERT Intrinsec meets specific incident response requirements, using dedicated procedures, qualified people and appropriate infrastructures.<\/p>\n\n\n\n As the patch cycle differs from a company to another, each of them may find themselves in different situations when it comes to VPN compromised. All of the scenarios below describe these situations.<\/p>\n\n\n\n In the best-case scenario, the security team monitors vulnerabilities<\/strong>, especially on exposed devices, is able to Run update and patch quickly<\/strong> and is able to perform investigation<\/strong> on its own devices. Besides, it follows the editor's publications<\/strong> to monitor measures taken to mitigate the vulnerability.<\/p>\n\n\n\n Finally, it is able to conduct threat hunting<\/strong> on its information system to look for indicators of compromise related to vulnerabilities post exploitation. They ask from time to time a compromise assessment<\/strong> to its security service provider.<\/p>\n\n\n The key here is the ability to take action as fast as possible<\/strong> and deal with the three main locks when it comes to security<\/strong>: human<\/strong> (not enough people to monitor information system and vulnerabilities), budgetary<\/strong> (not enough money to conduct a compromised assessment or to replace a piece of device) and procedural<\/strong> (no clear division of tasks and roles).<\/p>\n\n\n\n In this case, the vulnerability issue is handled but with a little delay<\/strong>. Thus, exploitation attempts might have been conducted on the device. When the security team realizes that the vulnerable appliance could be compromised, it would conduct compromised assessment not only on the device<\/strong>, but on the perimeter accessible from the appliance as well, to verify if any post exploitation actions are taking place.<\/p>\n\n\n\n It should look for multiple kinds of evidence<\/strong>, including system<\/strong> compromised, suspicious or malicious network flows<\/strong>, either internal or external, but also suspicious accounts<\/strong> used by or on the compromised appliance.<\/p>\n\n\n Post-exploitation is underway. The SonicWall VPN appliance affected by multiple vulnerabilities<\/strong> has been compromised and the attacker created two local accounts<\/strong> on it (1). He then tried to connect to multiple servers using compromised accounts<\/strong> (2), he used PsExec<\/strong> tool to test its access to a first domain controller (3). Later on, he moved laterally using Remote Desktop Protocol<\/strong> (RDP) to a development server (4). Finally, he used systeminfo<\/strong><\/em> command to gather information about that same server (5).<\/p>\n\n\n\n All the malicious actions were carried out in less than an hour<\/strong>. The compromise was discovered by detecting the use of PsExec tool<\/strong> on the domain controller. Containment actions were taken quickly and digital forensic investigations were undertaken to find out the extent of the compromise<\/strong>.<\/p>\n\n\n Can we go further?<\/em> Here comes credentials harvesting<\/em> and large-scale compromise<\/em>.<\/p>\n\n\n\n In this very case, the threat actor first exploited the CVE-2024-55591 Fortinet vulnerability<\/strong> (1). This vulnerability allows an attacker to bypass authentication<\/strong> of FortiOS administration interface and to gain administrator privileges<\/strong> by sending crafted queries to the websocket module.<\/p>\n\n\n\n Three months later, as a Security Operation Center<\/strong> (SOC) was being deployed, multiple alerts were raised about potential data exfiltrations.<\/p>\n\n\n\n We found out that the attacker connected to the network using a compromised account<\/strong> through the Fortinet VPN and accessed to the primary domain controller<\/strong> (2) via Remote Desktop Protocol<\/strong> (RDP). Within 3 minutes, he dumped Active Directory NTDS database<\/strong> and exfiltrate it to his remote server (3). He then disconnected 6 minutes later.<\/p>\n\n\n\n Four hours later, the attacker came back and performed a ping scan on a specific network range<\/strong> from his VPN session (4). He then waited two more hours before starting to connect to multiple servers: domain controller, filer, backup, etc. (5). He collected registry hives on the backup server.<\/p>\n\n\n\n On the next day, the threat actor continues his credential harvesting process<\/strong> by repeating it on hypervisors, administration and support servers<\/strong> (6).<\/p>\n\n\n\n Two days after the start of post exploitation actions<\/strong>, the alert is raised and containment measures are applied on accounts, servers and networks.<\/p>\n\n\n The worst-case scenario is the compromised or use of the VPN appliance compromised leading to ransomware attacks.<\/p>\n\n\n\n In this case, the attacker was able to get a VPN session using a compromised account<\/strong>. (1) He then connected to a VEEAM backup server<\/strong> and exploited the CVE-2024-40711<\/strong> deserialization vulnerability (2) and thus, created a local account<\/strong> on the server (3). After ensuring its persistence, he scanned network shares and devices<\/strong> from his VPN session (4), writing the results in text files.<\/p>\n\n\n\n He then decided to move laterally to two different servers: an hypervisor<\/strong> via Remote Desktop Protocol (RDP) using a compromised domain administrator account<\/strong> (5), and a business server where he not only added another persistence (6), installing AnyDesk<\/strong> solution, but also installed RClone<\/strong> cloud synchronization tool in order to exfiltrate data (7).<\/p>\n\n\n\n Finally, he browsed network shares and folders<\/strong> (8), before listing hypervisors and virtual machines<\/strong> (9) available on the information system and deploying his ransomware<\/strong> binary (10).<\/p>\n\n\n It is important to state that VPN compromises are not only due to vulnerability exploitation but also to weak configuration (authentication flow, password policies, multi-factor authentication, local accounts, etc.).<\/strong><\/em> For instance, we came across a case where an attacker was able to authenticate with any of VPN group names, as an identifier, without needing any password.<\/p>\n\n\n\n As we saw in these five cases, lack of security allows threat actors to go even further in their attacks. It is possible to increase the level of security<\/strong> to avoid or prevent these attacks. Regarding the exploitation of vulnerabilities on VPN appliance, it is possible to build an efficient patch management along with a monitoring process<\/strong> that enables the most critical vulnerabilities on the most important devices to be identified as quickly as possible. As editors might not release patches right away or the latter might be bypassed, it is important to monitor the evolution<\/strong> of interesting information related to critical vulnerabilities (editor's solutions, indicators of compromise, hunting opportunities and so on).<\/p>\n\n\n\n There are more common ways to reduce the attack surface. First, avoid exposing administration or management interfaces<\/strong> to the Internet prevents attackers from exploiting vulnerabilities leveraging these interfaces. Multi-factor authentication (MFA) is the cornerstone of remote access security<\/strong>. Indeed, some kind of vulnerabilities, like CVE-2019-13379, allows attackers to get access to credentials, but you can prevent them from accessing your network if MFA is implemented. Besides, threat actors can end up with stolen credentials, that they can use on VPN appliance, from several sources (leaks, credentials stealers, phishing, etc.).<\/p>\n\n\n\n If an attacker breaks into your network, you can make his job harder by reducing user privileges to what is strictly necessary<\/strong> and review accesses on a regular basis<\/strong>. You should delete as well local legacy accounts<\/strong> on VPN appliances that are not used anymore, to prevent an attacker from using it.<\/p>\n\n\n\n Finally, you can set up Geo IP restriction<\/strong> on your VPN appliances and set strong password policies<\/strong>, both locally and with all other authentication methods (Active Directory, etc.).<\/p>\n\n\n\n When it comes to monitoring, we think first of indicators of compromise<\/strong> (IOC) available, either from the editor or from security research companies. These IOCs can be linked to the vulnerability exploitation itself<\/strong> or to intrusion sets<\/strong> operated once vulnerability has been exploited.<\/p>\n\n\n\n\n\n More specifically, by monitoring system logs<\/strong>, you will be able to detect suspicious account creation, group change, unusual connections and so on.<\/p>\n\n\n\n During few CERT Intrinsec incident response engagements, companies were in the process of migrating from one VPN solution to another<\/strong>. Sometimes, this process takes quite a long time and legacy instances remain up even if they are not used anymore. It is important to keep an up-to-date inventory of exposed equipment. Year external assets security monitoring (EASM)<\/strong> can be useful to identify overlooked devices or solutions that might be vulnerable.<\/p>\n\n\n\n Finally, it is essential to continue monitoring after patching<\/strong>, and to reset or rebuild appliances because patches may be subject to bypass.<\/p>\n\n\n\n When Security Operation Center (SOC) or local security team finds some evidence of VPN appliance compromised, it might request a compromise assessment<\/strong> on the impacted perimeter.<\/p>\n\n\n\n The incident response team should already be aware of that vulnerabilities and able to conduct forensic investigations. Tea knowledge<\/strong> is based on editor's publications<\/strong>, proof of concept<\/strong>, previous commitments<\/strong> related to the same vulnerability, indicators of compromise<\/strong> from post exploitation intrusion set, researches<\/strong> on forensic artifacts or specific logs and how to exploit them, closed sources, etc.<\/p>\n\n\n\n Not to forget that the assessment should not only rely on forensic data collection, but should take advantage of all the security and monitoring solutions available on the perimeter<\/strong> (SIEM, EDR, XDR, cloud consoles, etc.). The availability of the network logs is often a weak spot when conducting forensic investigations. That is why you should make sure that these elements are properly stored, accessible and usable<\/strong>.<\/p>\n\n\n\n When it comes to VPN appliances, resources available to investigate can vary a lot. You should then rely on editor's documentation<\/strong>, available command lines<\/strong> and diagnostic tools<\/strong> (Internal and External Integrity Checker (ICT) for Ivanti, Tech Support File (TSF) for Palo Alto, etc.). You should check as well configuration<\/strong>, users, groups, network rules and so on.<\/p>\n\n\n\n Finally, it is important to analyze areas of the information system that are accessible from a VPN session or from the device itself<\/strong>, depending on the incident, performing system and network analysis.<\/p>\n\n\n\n<\/a>CERT Intrinsic presentation<\/h3>\n\n\n\n
<\/a>How far will the compromise take us?<\/h3>\n\n\n\n
<\/a>Scenario 1 \u2013 Vulnerability monitoring and early compromised assessment<\/h4>\n\n\n\n
![\"\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/01\/vpn_1.png\")
<\/figure>\n<\/div>\n\n\n<\/a>Scenario 2 \u2013 Exploited appliance and early remediation<\/h4>\n\n\n\n
![\"\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/01\/vpn_2-1.png\")
<\/figure>\n<\/div>\n\n\n<\/a>Scenario 3 \u2013 Discovery and lateral movement time<\/h4>\n\n\n\n
![\"\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/01\/vpn_3.png\")
<\/figure>\n<\/div>\n\n\n<\/a>Scenario 4 \u2013 Credentials collection party<\/h4>\n\n\n\n
![\"\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/01\/vpn_4-1024x638.png\")
<\/figure>\n<\/div>\n\n\n<\/a>Scenario 5 \u2013 From weak VPN to ransomware attack<\/h4>\n\n\n\n
![\"\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/01\/vpn_5.png\")
<\/figure>\n<\/div>\n\n\n<\/a>Insights about hardening and configuration<\/h3>\n\n\n\n
<\/a>Insights about monitoring<\/h3>\n\n\n\n
<\/a>Insights about investigation<\/h3>\n\n\n\n
<\/a>Insights about rebuilding<\/h3>\n\n\n\n