MEDIUM Vulnerability

VAPT-2026-04403 | Pre-authenticated directory traversal in Aurora VPN diagnostic export

Aurora VPN exposed a pre-authenticated file disclosure issue in its diagnostic export handler, allowing remote retrieval of arbitrary files from the appliance filesystem.

Case Overview

Case ReferenceVAPT-2026-04403

AuthorIvy Packet

Researcher(s)

Ivy Packet

CVE(s)

CVE-2026-44003

ProductAurora VPN Gateway

VersionAurora VPN Gateway 3.5.0 through 3.5.3

Recommendation

Upgrade to Aurora VPN Gateway 3.5.4 and later where possible.

Workaround

Upgrade or rebuild toward Aurora VPN Gateway 3.5.4 and later.

Status

Published

Last ModifiedApr 10, 2026, 13:43 UTC

Summary

Aurora VPN exposed a pre-authenticated file disclosure issue in its diagnostic export handler, allowing remote retrieval of arbitrary files from the appliance filesystem.

Affected Scope

Product

Aurora VPN Gateway

Versions

Aurora VPN Gateway 3.5.0 through 3.5.3

CVE(s)

CVE-2026-44003

How Attackers Can Misuse This

Aurora VPN exposed a pre-authenticated file disclosure issue in its diagnostic export handler, allowing remote retrieval of arbitrary files from the appliance filesystem.

Root Cause

The handler normalized archive names after the destination path was joined, which allowed `../` segments to survive the security check. A crafted request reached privileged export logic early in the request lifecycle and streamed arbitrary files back to the client.

record: VAPT-2026-04403
severity: MEDIUM
product: Aurora VPN Gateway
target_versions: Aurora VPN Gateway 3.5.0 through 3.5.3
linked_cves: CVE-2026-44003
cvss_vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What You Can Do

Immediate Updates

Upgrade to Aurora VPN Gateway 3.5.4 and later where possible.

Treat as Compromised

Treat exposed management surfaces and previously issued credentials as potentially compromised.

Rotate Credentials

Rotate affected secrets, tokens, and privileged service credentials after remediation is applied.

Threat Hunting

Upgrade to Aurora VPN Gateway 3.5.4 or later, restrict the diagnostic export route at the edge, and rotate any credentials or key material stored on the affected appliance. Review access logs for unusual export requests containing encoded traversal sequences.

Tools

No downloadable tools or authenticated evidence packages are attached to this case.

What We Are Doing

Aurora Secure case is currently marked published, with patch status reported as published. VAPT continues to keep the public lifecycle aligned with coordinated disclosure milestones and remediation visibility.

Timeline

Date	Description
Mar 29, 2026	Submitted The researcher submitted the initial disclosure package.
Apr 4, 2026	Validated The issue was validated and reserved for coordinated disclosure.
Apr 9, 2026	Published The case was published with a public VAPT advisory and CVE writeup.

More Information

Technical writeup

Root-cause walkthrough and affected request flow.

Public reference

Vendor remediation notice

Vendor remediation and rollout guidance.

Vendor advisory