28/05/2026 |
Security researchers have discovered a critical zero-day vulnerability (CVE-2026-1234) in a widely-used enterprise VPN solution that affects approximately 15,000 organisations globally, including several in Hong Kong.
The vulnerability exists in the VPN client’s authentication module and could allow an attacker to bypass authentication entirely, gaining access to the protected internal network. The issue has been assigned a CVSS score of 9.8 (Critical).
“We are aware of active exploitation in the wild,” the vendor stated in an emergency advisory. “All users should update to the latest version immediately.”
HKISG recommends that organisations:
1. Update VPN software to the latest patched version as a priority
2. Enable multi-factor authentication as an additional layer of protection
3. Monitor network logs for suspicious authentication patterns
4. Consider implementing a VPN kill switch for mobile devices
The vulnerability highlights the importance of regular software updates and defence-in-depth strategies for network security.