Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design
Conclusion & alert: CVE-2009-2631 is rated Moderate Risk (63.4/100): CVSS Medium severity, with high exploitation likelihood (EPSS 5.13%, 91th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +4.29% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.84% | 5.13% | +4.29% |
| 2 | 2026-05-29 | 0.66% | 0.84% | +0.18% |
| 3 | 2026-05-27 | — | 0.66% | — |
Full EPSS history (26 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.8 | 2.0 | MEDIUM |
|
8.6 | 6.4 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| aladdin | safenet_securewire_access_gateway | — | cpe:2.3:h:aladdin:safenet_securewire_access_gateway:*:*:*:*:*:*:*:* |
| cisco | adaptive_security_appliance | — | cpe:2.3:h:cisco:adaptive_security_appliance:*:*:*:*:*:*:*:* |
| sonicwall | e-class_ssl_vpn | — | cpe:2.3:h:sonicwall:e-class_ssl_vpn:*:*:*:*:*:*:*:* |
| sonicwall | ssl_vpn | — | cpe:2.3:h:sonicwall:ssl_vpn:*:*:*:*:*:*:*:* |
| stonesoft | stonegate | — | cpe:2.3:h:stonesoft:stonegate:*:*:*:*:*:*:*:* |