print preview Back News

The Cyber-Defence Campus finds a critical security vulnerability in VPN software

Vulnerability research is a key task for the scientists at the Cyber-Defence (CYD) Campus. Within a research programme, a CYD Campus researcher has found a critical security vulnerability in the VPN client of the American company F5. Thanks to the early warning by the CYD Campus, the vulnerability could be closed.

23.06.2021 | Sarah Frei, Cyber-Defence Campus, armasuisse Science and Technology

Glowing dots form a key in front of a green colored frame with people discussing in a laboratory


As part of the recently established Vulnerability Research Programme at the CYD Campus, a researcher at armasuisse Science and Technology has discovered a critical security vulnerability in the VPN client of the company F5. The hitherto unknown security vulnerability can be exploited by unauthorised users to obtain administrator rights on those Windows client systems on which the VPN software is installed.

Through the early notification by the CYD Campus to the American manufacturer this February, the security vulnerability was closed. The corresponding security update was published on June 1.

This incident illustrates the relevance and effectiveness of the CYD Campus’s vulnerability research for Switzerland's security. The affected VPN software is used by numerous companies in Switzerland to enable employees to remotely access their corporate network. As a result of the Covid-19 pandemic and the associated home office obligation, the use of VPN clients has become a common practice. The detection and fast remediation of such security risks is thus a key component of cyber defence.

The CYD Campus was established in 2019 at armasuisse Science and Technology as part of the DDPS’s cyber defence action plan and contributes to the national strategy for the protection of Switzerland from cyber risks (NCS). The CYD Campus’ core tasks include the early detection of developments in the area of cyber defence, the development and testing of cyber technologies as well as the training of cyber specialists.