Three SSL VPN vulnerabilities are being actively exploited, despite being disclosed in 2019 and patched by January 2020.

SSL VPN products are critical to many organization’s security. As such, they’re a prime target for bad actors looking for a way to compromise an entire network. Unfortunately, many companies and organizations are not patching vulnerabilities as they should be.

Data from Tenable Research shows that three critical SSL VPN vulnerabilities are still being actively exploited, including CVE-2019-19781, CVE-2019-11510 and CVE-2018-13379. CVE-2019-11510, in particular, had a Vulnerability Priority Rating (VPR) of 10.0, although the other two were not far behind at 9.9

Although all three vulnerabilities were disclosed in 2019 and patched by January 2020, they continue to be routinely exploited more than halfway through 2021. According to a joint cybersecurity advisory from four international government agencies, these vulnerabilities were some of the most exploited in 2020. In fact, CVE-2019-19781 was named the most exploited vulnerability of 2020, according to government data.

With the increasing rate of hacks, ransomware and data breaches, it’s disturbing that organizations are not making it a priority to apply readily available patches to such a critical part of their security.