We’d like to address a few recent news articles about a security vulnerability that Talos cybersecurity researchers reported earlier this month. Here are some important points that we think people are missing.
When they discovered the CVE vulnerability in our and other VPN providers’ systems, Talos Intelligence, like all ethical security research firms, approached us with the news first before publishing it. They waited until we fixed the problem before publishing their findings to ensure that no VPN users were exposed to any additional risk.
The vulnerability described in their report no longer exists on our systems. When it did, it was completely undocumented and quite possibly unknown to anyone in the world. But if it was…
To put it simply, this vulnerability required the attacker to already have access to your computer. This could have been a guest account on your computer or a malicious piece of malware you downloaded from the web. An attacker sophisticated enough to have known of the vulnerability could have then used it to give themselves admin privileges or run other damaging scripts.
Here’s the issue: if a malicious attacker has access to your machine (especially if they’ve done so using malware), they already have plenty of different options available. The vulnerability described by Talos Intelligence could not have been the first step in the malicious attacker’s assault on your machine. You needed to have already had a serious breach in your physical or cyber security for it to work.
We have a diligent team of dedicated software engineers and cybersecurity experts working on our system to keep it as secure and functional as possible. With that being said, everyone makes mistakes. That’s why the work of institutions like Talos Intelligence is so important. By discovering vulnerabilities and reporting them to companies before they’re published, they help make the internet a more secure place for everyone – without endangering users in the process.
NordVPN is currently completely secure from the CVE Privilege Escalation vulnerability.