PatchSiren cyber security CVE debrief

CVE-2014-9755 Viprinet CVE debrief

CVE-2014-9755 affects Viprinet MultichannelVPN Router 300 firmware versions 2013070830 and 2013080900. The hardware VPN client does not validate the remote VPN endpoint’s identity by checking the endpoint SSL key before starting the exchange, which can allow a remote attacker to replay traffic or session material. The NVD record maps the issue to CWE-20 (Improper Input Validation) and rates it HIGH. Public references in the supplied corpus include a Packet Storm advisory and a Full Disclosure post, while the CVE record itself was published on 2017-01-20 and later modified on 2026-05-13.

Vendor: Viprinet
Product: CVE-2014-9755
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-20
Original CVE updated: 2026-05-13
Advisory published: 2017-01-20
Advisory updated: 2026-05-13

Who should care

Organizations using Viprinet MultichannelVPN Router 300 appliances with firmware 2013070830 or 2013080900, especially teams responsible for VPN infrastructure, network security, and remote-access operations.

Technical summary

The vulnerable VPN client initiates a VPN exchange without verifying the remote endpoint’s SSL key, so it does not reliably authenticate the peer identity first. That identity-check failure can let an attacker on the network path abuse replay conditions against the VPN flow. NVD assigns CWE-20 and lists affected CPE entries for the two firmware versions noted above.

Defensive priority

High priority for environments that still operate the affected firmware, because the issue is network-reachable, requires no privileges or user interaction, and affects a core remote-access component.

Recommended defensive actions

Confirm whether any Viprinet MultichannelVPN Router 300 devices are running firmware 2013070830 or 2013080900.
Review the vendor’s guidance and any available firmware updates or corrective releases for the affected hardware.
If upgrading is not immediately possible, reduce exposure by restricting who can reach the VPN endpoint and by limiting reliance on the affected tunnel path.
Monitor VPN logs for unusual repeated session attempts or traffic patterns that could indicate replay-related abuse.
Validate that endpoint identity checks are enforced in your deployment and document any compensating controls used until remediation is complete.

Evidence notes

All claims are limited to the supplied NVD-derived corpus and linked references. The description states the VPN client does not validate the remote endpoint identity by checking the endpoint SSL key before the exchange, enabling replay attacks. NVD lists vulnerable firmware versions 2013070830 and 2013080900 and classifies the weakness as CWE-20. The reference set includes Packet Storm, Full Disclosure, and SecurityFocus entries; no vendor patch text was included in the supplied corpus.

Official resources

CVE-2014-9755 CVE record
CVE.org
CVE-2014-9755 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]

The supplied record was published on 2017-01-20 and last modified on 2026-05-13. The reference list also points to public third-party advisories posted before the CVE record publication date.