Cisco Talos has discovered two similar vulnerabilities in the ProtonVPN and NordVPN VPN clients.

The vulnerabilities allow attackers to execute code as an administrator on Microsoft Windows operating systems from a standard user. The vulnerabilities were tracked to the CVE IDs TALOS-2018-0622 / CVE-2018-3952 (NordVPN) and TALOS-2018-0679 / CVE-2018-4010 (ProntonVPN).

The vulnerabilities are similar to a bug previously discovered by VerSprite in April 2018: CVE-2018-10169.

That same month, both clients released similar patches to fix this flaw.

However, we identified a way to bypass that patch.

Despite the fix, it is still possible to execute code as an administrator on the system.

More details can be found in the vulnerability reports:



  • ProtonVPN VPN Client 1.5.1
  • NordVPN



The following Snort rules will detect exploitation attempts. Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or

Snort Rules: 47035 – 47036


Enjoy the report here.


Deixe um comentário

O seu endereço de email não será publicado. Campos obrigatórios marcados com *