We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?
Both the admin and USER portals were vulnerable. Either one would be able to be used to exfiltrate the LOCAL accounts (not AD/LDAP) including users and admins.
right. so we need to reset all local vpn users? god damm.
Yep. Most of ours were AD auth, but we had a few that used local accounts. We reset them anyway even though the users also used MFA.