heise PlusAbo
Anzeige

VPN gaps in HPE Aruba Networking Virtual Intranet Access Client closed

Attackers can crack VPN connections created with HPE Aruba Networking Virtual Intranet Access Client.

listen Print view
Highly distorted image of a finger on a keyboard, with a digital exclamation mark in the foreground

(Image: janews/Shutterstock.com)

1 min. read
Security
By

VPN connections created with the HPE Aruba Networking Virtual Intranet Access (VIA) client under iOS, Linux, macOS, and Windows are not secure. The Android client is not affected. There is a security update for the other systems.

Tunnelvision vulnerability

In a warning message, the developers state that the VIA client up to and including version 4.7.0 is vulnerable. They state that they have closed two security gaps (CVE-2024-3661 “high”, CVE-2025-25041 “high”) in version 4.7.2.

The first vulnerability has been known since 2024 under the title “Tunnelvision”. At this point, remote attackers can start without authentication and start in the context of the network configuration service of the DHCP protocol to break VPN connections.

Videos by heise

If attackers successfully exploit the second vulnerability, they can create DoS states. According to the HPE developers, there is still no evidence of attacks on either vulnerability.

(des)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten