VPN applications offered by Cisco, Palo Alto, F5 and Pusle are putting users at risk by failing to securely store session cookies, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Carnegie Mellon’s CERT are warning.

If threat actors can obtain access to a session cookie, they can use it to continue the victim’s session, which will allow them to bypass authentication for applications accessed by the user during the session.

Read more: Gov’t warns on VPN security bug in Cisco, Palo Alto, F5, Pulse software