New research from VPNpro shows that Monsoon Accessorize uses the old Pulse Connect Secure VPN version that has a known vulnerability and allows hackers to steal or ransom sensitive internal company files, customer data, and much more.
The Pulse Connect Secure vulnerability (CVE-2019-11510, rated as “critical”), which dates back to April 2019, can allow hackers to see any active users on the company VPN, as well as their plaintext passwords. They can then use this information to get into those servers for malicious purposes and could harm both the company and its clients. The threat is serious: even the US Department of Homeland Security has issued a warning urging businesses to upgrade their VPNs.
By using this vulnerability, our researchers were able to gain access to Monsoon’s internal files, including customer information, sensitive business documents, sales and revenue numbers, and much more.
We attempted to contact Monsoon multiple times via multiple channels from May 28 until June 10. At the time of writing this article, we have still received no reply and the vulnerability remains.