Zerodium buys vulnerabilities in ExpressVPN, NordVPN and Surfshark

Vulnerabilities in ExpressVPN, NordVPN and Surfshark
Written by Emma Davis

Renowned vulnerability broker Zerodium announced that it is purchasing zero-day vulnerabilities in Windows clients for three major VPN products: ExpressVPN, NordVPN, and Surfshark.

Let me remind you that Zerodium, founded in 2015, has long been buying exploits for various zero-day vulnerabilities in order to then resell them to governments and law enforcement agencies in different countries. To do this, the company has its own bug bounty program, under which researchers can sell exploits for up to $ 2.5 million (depending on the type and nature of the vulnerability).

In addition, from time to time the company conducts campaigns “to identify errors”, during which it buys exploits for a specific software at special prices. Previously, similar promotions were held for Pidgin, WordPress, hypervisors, and so on.

A new campaign of this kind is targeting Windows clients of three major VPN products: ExpressVPN, NordVPN and Surfshark, which are used in thousands of proxy servers around the world.

We’re looking for 0day exploits affecting VPN software for Windows: – ExpressVPN – NordVPN – Surfshark Exploit types: information disclosure, IP address leak, or remote code execution. Local privilege escalation is out of scope.Zerodium questions on Twitter.

Zerodium says that it is interested in exploits that can lead to the disclosure of personal information of the VPN user, can reveal the real IP address of the user, as well as exploits that lead to remote code execution on the victim’s computer.

Nothing is known about the remuneration that the company is willing to pay to researchers. ExpressVPN and NordVPN have their own bug bounty programs. For example, ExpressVPN offers up to $ 2,500 for vulnerabilities (with bonuses up to $ 10,000), while NordVPN is willing to pay $ 5,000 for critical bugs. Zerodium will probably offer a lot more.

We also reported that Zerodium will not buy exploits for iOS, as there is too many of them.

User Review
0 (0 votes)
Comments Rating 5 (1 review)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

One Response

  1. Johnw October 26, 2021

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.