NachoVPN Tool Exploits Flaws in Popular VPN Clients for System Compromise

Cybersecurity researchers have disclosed a set of flaws impacting Palo Alto Networks and SonicWall virtual private network (VPN) clients that could be potentially exploited to gain remote code execution on Windows and macOS systems.
"By targeting the implicit trust VPN clients place in servers, attackers can manipulate client behaviours, execute arbitrary commands, and gain high levels of access with minimal effort," AmberWolf said in an analysis.
In a hypothetical attack scenario, this plays out in the form of a rogue VPN server that can trick the clients into downloading malicious updates that can cause unintended consequences.
The result of the investigation is a proof-of-concept (PoC) attack tool called NachoVPN that can simulate such VPN servers and exploit the vulnerabilities to achieve privileged code execution.
The identified flaws are listed below -
- CVE-2024-5921 (CVSS score: 5.6) - An insufficient certificate validation vulnerability impacting Palo Alto Networks GlobalProtect for Windows, macOS, and Linux that allows the app to be connected to arbitrary servers, leading to the deployment of malicious software (Addressed in version 6.2.6 for Windows)
- CVE-2024-29014 (CVSS score: 7.1) - A vulnerability impacting SonicWall SMA100 NetExtender Windows client that could allow an attacker to execute arbitrary code when processing an End Point Control (EPC) Client update. (Affects versions 10.2.339 and earlier, addressed in version 10.2.341)
Palo Alto Networks has emphasized that the attacker needs to either have access as a local non-administrative operating system user or be on the same subnet so as to install malicious root certificates on the endpoint and install malicious software signed by the malicious root certificates on that endpoint.

In doing so, the GlobalProtect app could be weaponized to steal a victim's VPN credentials, execute arbitrary code with elevated privileges, and install malicious root certificates that could be used to facilitate other attacks.
Similarly, an attacker could trick a user to connect their NetExtender client to a malicious VPN server and then deliver a counterfeit EPC Client update that's signed with a valid-but-stolen certificate to ultimately execute code with SYSTEM privileges.
"Attackers can exploit a custom URI handler to force the NetExtender client to connect to their server," AmberWolf said. "Users only need to visit a malicious website and accept a browser prompt, or open a malicious document for the attack to succeed."
While there is no evidence that these shortcomings have been exploited in the wild, users of Palo Alto Networks GlobalProtect and SonicWall NetExtender are advised to apply the latest patches to safeguard against potential threats.
The development comes as researchers from Bishop Fox detailed its approach to decrypting and analyzing the firmware embedded in SonicWall firewalls to further aid in vulnerability research and build fingerprinting capabilities in order to assess the current state of SonicWall firewall security based on internet-facing exposures.
North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks
Cisco Warns of Exploitation of Decade-Old ASA WebVPN Vulnerability
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
InformationalStorable and Cacheable Content
HighSQL Injection
Medium.env Information Leak
MediumBackup File Disclosure
MediumX-Frame-Options Defined via META (Non-compliant with Spec)
InformationalInformation Disclosure - Sensitive Information in HTTP Referrer Header
InformationalCORS Header
LowBig Redirect Detected (Potential Sensitive Information Leak)
CWE-210 Self-generated Error Message Containing Sensitive Information
HighCWE-639 Authorization Bypass Through User-Controlled Key
CWE-1386 Insecure Operation on Windows Junction / Mount Point
CWE-1050 Excessive Platform Resource Consumption within a Loop
CWE-5 J2EE Misconfiguration: Data Transmission Without Encryption
Free online web security scanner