A VPN vulnerability in the Aviatrix VPN client has been patched, but previously gave an attacker unlimited access to the targeted device. Aviatrix VPN client is used by large US organizations, notably NASA and Shell. All versions of the VPN have been patched and are now available for download without the vulnerability.
Immersive Labs researcher Alex Seymour uncovered the vulnerability in early October after noticing that a pair of Web servers were also launched during the VPN client’s open sequence. Seymour was able to show proof that after initial access to the device, privileges escalated to allow the attacker to run any code desired on the targeted device. Aviatrix patched the vulnerability in less than a month and urged users to update to the latest version as soon as they can.
Read More: VPN Flaw Allows Criminal Access to Everything on Victims’ Computers