[VULNERABILITY ALERT] QNO | VPN Firewall - Presence of 3 Critical Security Vulnerabilities (CVE-2025-15387) (CVE-2025-15388) (CVE-2025-15389)

• Subject: [VULNERABILITY ALERT] QNO | VPN Firewall - Presence of 3 Critical Security Vulnerabilities (CVE-2025-15387) (CVE-2025-15388) (CVE-2025-15389)

• Content Description:
  • Forwarded from Taiwan Computer Emergency Response Team/Coordination Center Security Alert TWCERTCC-200-202601-00000001
  • [QNO | VPN Firewall - Insufficient Entropy] (CVE-2025-15387, CVSS: 8.8) An Insufficient Entropy vulnerability exists in VPN Firewalls. A remote unauthenticated attacker can obtain any logged-in user's session through brute force, thereby logging into the system.
  • [QNO | VPN Firewall - OS Command Injection] (CVE-2025-15388, CVSS: 8.8) An OS Command Injection vulnerability exists in VPN Firewalls. A remote authenticated attacker can inject arbitrary operating system commands and execute them on the server.
  • [QNO | VPN Firewall - OS Command Injection] (CVE-2025-15389, CVSS: 8.8) An OS Command Injection vulnerability exists in VPN Firewalls. A remote authenticated attacker can inject arbitrary operating system commands and execute them on the server.
• Affected Platforms:
  • VPN Firewall
• Recommended Actions:
  • Contact the vendor to obtain solutions.
• Reference Material:
  1. https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html

Computer and Communication Center
Network Systems Division, Respectfully