If You Have FatPipe VPN, Update Now: FBI Warns of Zero-Day Flaw

Hackers have been using the flaw to gain access to companies' internal networks for months.

Hackers have been exploiting a zero-day vulnerability in FatPipe VPN software since May, the FBI has announced.

A patch has been released, so anyone using the the FatPipe WARP, MPVPN, or IPVPN software should update immediately in order to protect themselves moving forward.

No company is infallible when it comes to zero-day vulnerabilities, from Apple to Google, but it’s always sad to see in a VPN, a service explicitly designed to keep its users safe.

What to Know

The attackers are a group sophisticated enough to be labelled an “advanced persistent threat,” or APT, and have been using the flaw to gain access to companies’ internal networks for months, according to the FBI’s forensic analysis.

The FBI statement itself explains that the flaw allowed hackers to exploit a file upload function:

“The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.”

The statement includes the technical details that an IT team can use to follow up within their internal networks, and advises that any organizations that find activity indicating they’ve been compromised should “take action immediately.”

However, that’s easier said than done, as the FBI found that, in most cases, the hackers used cleanup scripts to hide traces of their activity.

Can You Trust Your VPN?

Yes, the flaw in question has been patched by now, but that’s small comfort to the companies who are just now learning they were fully exposed and potentially hacked over the last six months. In situations like these, the security of any virtual private network service comes under scrutiny.

FatPipe wasn’t on our list of the most trusted and secure VPNs, where we ranked NordVPN, IPVanish, and PureVPN among the cream of the business-data-securing crop.

But perhaps the best test of the discovery of a software vulnerability is in how well the safeguards and redundancies that were already in place have worked to mitigate any harm the flaw could cause. Take the example of NordVPN’s 2018 data breach: Just one of the company’s 3,000+ servers was affected and NordVPN quickly addressed it. No user data was compromised in the incident, and NordVPN’s zero logging policy meant no data was available to be compromised.

If you’re interested in a new VPN or simply trying out one with enough safeguards to ensure your company’s internal network won’t be crawling with hackers, check out our roundup of the most robust business VPNs here. Or, simply check out this table for a faster comparison of all the facts to know about each:

0 out of 0
Price From
Lowest price for single month subscription to cheapest paid tier. Other plans are available.
Users
Zero Data Logging
Free Trial
Try
Click to find the latest offers, deals and discounts from the VPN provider

$8 user/month

$8.45 user/month

$32 /month

$8.32/month

$2.99/month

Unlimited

Min. 5

Min. 5

5 devices per subscription

Unlimited devices per subscription

7 days

30-day money-back guarantee

Yes (iOS and Android)

See Deals See Deals See Deals See Deals See Deals
Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' was a 2024 Locus Awards finalist. When not working on his next art collection, he's tracking the latest news on VPNs, POS systems, and the future of tech.
Explore More See all news
Back to top
close Step up your business video conferencing with GoToMeeting, our top rated conferencing app – try it free for 14 days Try GoToMeeting Free