Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-0123

Critical Vulnerability Discovered in Popular Enterprise VPN Solutions

Security researchers have identified a severe authentication bypass vulnerability affecting multiple enterprise VPN products. Immediate patching recommended.

Security Team

Threat Intelligence

February 2, 2026
3 min read

Affected Products

  • Cisco AnyConnect < 4.10.08025
  • Palo Alto GlobalProtect < 6.2.1
  • Fortinet FortiClient < 7.2.3

Critical VPN Authentication Bypass - CVE-2026-0123

Severity: CRITICAL (CVSS 9.8) Status: Actively Exploited in the Wild

Executive Summary

A critical authentication bypass vulnerability has been discovered affecting multiple enterprise VPN solutions. This vulnerability allows unauthenticated remote attackers to gain access to internal networks without valid credentials.

IMMEDIATE ACTION REQUIRED

If you are running any of the affected products, apply patches immediately or implement the listed mitigations.

Affected Products

| Vendor | Product | Affected Versions | Fixed Version | |--------|---------|-------------------|---------------| | Cisco | AnyConnect | < 4.10.08025 | 4.10.08025+ | | Palo Alto | GlobalProtect | < 6.2.1 | 6.2.1+ | | Fortinet | FortiClient | < 7.2.3 | 7.2.3+ |

Technical Details

The vulnerability exists in the SAML authentication handling of affected VPN clients. An attacker can craft a malicious SAML response that bypasses signature verification, allowing authentication as any user.

Attack Vector

1. Attacker intercepts VPN connection initiation
2. Crafted SAML response injected
3. Signature verification bypassed
4. Attacker authenticated as target user
5. Full VPN tunnel established

Proof of Concept Indicators

Look for these indicators in your logs:

# Suspicious SAML assertions
grep -i "saml" /var/log/vpn/*.log | grep -E "(assertion|signature)"
 
# Failed then immediate success authentications
grep "auth" /var/log/vpn/*.log | grep -B1 "success" | grep "failed"

Mitigation Steps

Immediate Actions

  1. Apply Patches - Update to fixed versions immediately
  2. Enable MFA - Add additional authentication layer
  3. Monitor Logs - Watch for exploitation attempts
  4. Network Segmentation - Limit VPN user access

If Patching is Not Immediately Possible

# Cisco AnyConnect - Disable SAML temporarily
# In ASA configuration:
tunnel-group DefaultWEBVPNGroup webvpn-attributes
  authentication aaa
 
# Palo Alto GlobalProtect - Require certificate auth
# In PAN-OS:
set authentication-profile VPN multi-factor-auth

Detection Rules

Suricata Rule

alert http any any -> $HOME_NET any (
  msg:"CVE-2026-0123 - VPN SAML Bypass Attempt";
  flow:to_server,established;
  content:"SAMLResponse";
  content:"SignatureValue";
  pcre:"/SignatureValue>[A-Za-z0-9+\/=]{10,50}</";
  classtype:attempted-admin;
  sid:2026001;
  rev:1;
)

Splunk Query

index=vpn sourcetype=*vpn*
| search (saml OR authentication)
| stats count by src_ip, user, action
| where count > 10 AND action="success"
| sort -count

Timeline

  • 2026-01-15: Vulnerability discovered by researchers
  • 2026-01-20: Vendors notified via coordinated disclosure
  • 2026-01-28: Patches released by all vendors
  • 2026-02-01: Active exploitation detected in the wild
  • 2026-02-02: Public advisory released

References

Updates

We will update this advisory as new information becomes available. Subscribe to our security alerts for real-time notifications.

Last updated: February 2, 2026 14:30 UTC