A patch that prevented NordVPN and ProtonVPN clients from running arbitrary code with administrator privileges on Windows machines implemented insufficient controls against the vulnerability, a security researcher discovered.
Both clients use OpenVPN open-source software to set up a secure tunnel from one point to another. The service needs to run with administrator permissions, so any code it runs enjoys these privileges.
