When the Gateway Becomes the Breach Point

Across the cybersecurity landscape, SSL VPNs were once trusted gateways for secure remote access. But in breach after breach, they’ve become the most reliable way for attackers to walk straight into the network.

 SSL: Still Somehow Leaking.

SSL VPN Vulnerabilities

Enterprise SSL VPN implementations have become a recurring target for sophisticated attackers. The pattern is consistent across vendors: vulnerabilities in internet-facing authentication systems that require no credentials to exploit, providing direct access to corporate networks. These flaws exhibit notable similarities across different manufacturers, reflecting common architectural patterns in SSL VPN implementations.

Let’s take a look at some of these vulnerabilities.

The Fortinet Story - From Path Traversal to Heap Corruption

Fortinet's SSL VPN has faced multiple critical vulnerabilities, starting with the path-traversal flaw (CVE-2018-13379) discovered by Orange Tsai and Meh Chang from DEVCORE, which fundamentally broke the trust model of SSL VPN security.

The attack mechanism was technically straightforward. Fortinet's SSL VPN web portal failed to properly restrict file access, allowing unauthenticated attackers to craft HTTP requests that bypassed directory restrictions. The primary target was not an arbitrary system file but rather the sslvpn_websession file, which contained active session data, including usernames and plaintext passwords. The attack required neither brute force attempts nor social engineering. Attackers needed only a path traversal sequence to obtain direct access to valid VPN credentials.

This vulnerability stayed on CISA's most exploited lists for years. Ransomware operators from Hive, Conti, and Avoslocker built entire campaigns around it. By late 2020, credentials for approximately 50,000 vulnerable Fortinet VPNs had leaked online.

Beyond the path traversal issue, Fortinet's SSL VPN faced another critical vulnerability class. The heap-based buffer overflow discovered by Charles Fol and Dany Bach from LEXFO demonstrated how memory corruption vulnerabilities persist in security-critical code. The flaw resided in the /remote/hostcheck_validate and /remote/logincheck endpoints, where the SSL VPN processed a hex-encoded parameter.

When looking at this vulnerability deeper, the researchers discovered inadequate bounds checking. The code allocated a buffer based on the length of the hex-encoded input, decoded it, and then attempted to verify the length. However, it checked against the wrong value. Instead of comparing against the allocated buffer size, it compared against the original hex-encoded parameter length. This off-by-one error allowed attackers to decrypt memory outside the intended buffer boundaries.

The choice of memory allocator proved significant for exploitation reliability. FortiOS's use of jemalloc, which unlike glibc's malloc with its heap corruption protections, offers predictability that allows exploits to reliably reclaim chunks and control memory layout.

Despite the severity of this vulnerability and the availability of patches, deployment of fixes was slow across affected organisations. When Bishop Fox surveyed the internet a month after patches shipped, they found over 335,000 FortiGate firewalls still vulnerable. Some had not been updated in eight years.

SonicWall - When Stack Frames Become Attack Vectors

While Fortinet addressed heap corruption issues, SonicWall faced a different class of memory safety vulnerabilities. Nikita Abramov and Craig Young discovered a stack-based buffer overflow in the SSL VPN portal that could be triggered before any authentication occurred.

The vulnerability resided in the HTTP/HTTPS service handling both management access and VPN connections. An attacker could send a malformed request with a custom protocol handler that overflowed a stack buffer, corrupting the call stack. While unsophisticated attackers could weaponise this for denial of service, the researchers demonstrated they could hijack execution flow through stack manipulation, making remote code execution feasible.

The exposure was extensive. A Shodan search at disclosure time found almost 800,000 potentially vulnerable devices with their SSL VPN interfaces exposed to the internet. The pre-authentication nature of the flaw meant that attackers required no credentials, no prior access, and minimal technical complexity. Attackers needed only to send the payload to trigger either system crash or shell access.

SonicWall encountered additional SSL VPN vulnerabilities in subsequent years, including an improper access control vulnerability that particularly affected organisations which migrated from Gen 6 to Gen 7 devices without resetting credentials.

This vulnerability later became a valuable tool for ransomware operations. Akira ransomware operators, for example, gained initial access to networks through compromised local accounts, then pivoted to domain controllers within hours.

Palo Alto - Chaining Bugs for Maximum Impact

Palo Alto Networks' GlobalProtect vulnerability demonstrated how attackers chain seemingly minor flaws into critical exploits. The cybersecurity firm Volexity discovered that a threat actor had been actively exploiting a zero-day vulnerability during an investigation of compromised firewalls.

The exploitation mechanism relied on two distinct weaknesses working in tandem. First, GlobalProtect's session handling code did not properly validate the format of session IDs before storing them. This allowed attackers to embed shell commands directly into the session identifier field. The system would create a file with the attacker's payload as the filename.

The second flaw provided the trigger mechanism. A scheduled system job, designed to process telemetry data, would execute with elevated privileges and use these filenames in commands. The OS implicitly trusted that files in its temp directory were legitimate, so when the cron job ran, it executed whatever the attacker had embedded in the filename. The telemetry functionality used curl to transmit logs, and attackers exploited this by injecting shell commands through malformed SESSID values in unauthenticated HTTP POST requests.

Active exploitation confirmed the practical impact of this vulnerability. Volexity observed UTA0218 creating reverse shells and downloading additional tools onto compromised devices. Palo Alto initially suggested disabling device telemetry as a workaround, but subsequently acknowledged that attackers had discovered methods to exploit the vulnerability without telemetry enabled.

Sophos The Null Byte That Broke Authentication

Sophos's authentication bypass demonstrated how a single character could compromise security controls. The vulnerability affected the User Portal and Webadmin, discovered through their bug bounty program.

Attackers sent POST requests to the /webconsole/Controller endpoint with carefully crafted JSON payloads. The key mechanism was null byte injection, which involved inserting \u0000 sequences into the mode parameter. A typical exploit used something like "mode\u0000ef":716 alongside arbitrary username and password values.

The null bytes caused the authentication logic to mishandle the request parsing. By manipulating where the null byte appeared in the mode parameter, attackers could trick the system into granting full administrative access without validating credentials. The exploitation required understanding the proper placement of a null byte in JSON, without requiring a sophisticated exploit framework.

According to Sophos, the firm observed this vulnerability being used to target a small set of specific organisations primarily in the South Asia region. In 2024, Sophos confirmed these attacks were part of a broader Chinese APT campaign.

Why SSL VPNs Keep Breaking the Same Way

Looking across vendors, patterns emerge in SSL VPN vulnerabilities. These services all face the same architectural challenge: they must process unauthenticated requests to establish initial connections. This pre-authentication attack surface creates opportunities for exploitation before any security checks occur.

Implementation choices across vendors show notable convergence. Vendors use comparable parsing libraries, analogous authentication flows, and make similar design decisions about what processing happens before credential verification. When security researchers find a buffer overflow in one vendor's SSL VPN implementation, examining competitors often reveals similar bugs. The underlying components are consistent across implementations: HTTP parsers, session managers, and credential validators all exposed to the internet, all processing untrusted input before authentication.

Memory corruption vulnerabilities represent a persistent challenge in these implementations. Fortinet's heap overflow, SonicWall's stack overflow, and Palo Alto's command injection through file creation all stem from trusting input too early in the processing pipeline. Combined with internet exposure requirements, these flaws give remote attackers direct paths into corporate networks without needing any insider access or stolen credentials.

Whether the industry will fundamentally rethink how these services are architected, or whether similar vulnerabilities will continue to emerge, remains an open question.