Security flaws found in top VPNs

Security flaws have been uncovered in some of the most popular VPN services on the market today.

Researchers at Cisco Talos discovered two vulnerabilities in the NordVPN and ProtonVPN offerings that could have allowed hackers to hijack a user's machine.

The flaws took advantage of a design issue in both clients, with the creation of a new OpenVPN command line possibly allowing attackers to carry out the execution of abritary code on Windows machines without needing authorisation, putting user's machines at risk.

VPN security

The flaws, which were named CVE-2018-3952 and CVE-2018-4010, were similar to one found earlier this year by VerSprite, which had then been patched by both vendors, however the Talos team were able to circumvent these fixes.

The fixes were initially released in April, with NordVPN issuing a second patch last month, meaning the majority of their users were automatically protected.

"We have a diligent team of dedicated software engineers and cybersecurity experts working on our system to keep it as secure and functional as possible," NordVPN's Daniel Markuson wrote in a company blog

"With that being said, everyone makes mistakes. That’s why the work of institutions like Talos Intelligence is so important. By discovering vulnerabilities and reporting them to companies before they’re published, they help make the internet a more secure place for everyone – without endangering users in the process."

ProtonVPN released their patch version earlier this month. 

"Later versions of ProtonVPN have resolved this issue and users have been automatically prompted to update," a ProtonVPN spokesperson told ZDNet. "We have not seen any evidence of this being exploited in the wild, as a user's computer needs to first be compromised by a hacker before this bug can be exploited."

The Talos team advised all ProtonVPN and NordVPN users to patch their VPNs as soon as possible to avoid any potential risk.


Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.