Zscaler recently published the Zscaler ThreatLabz 2025 VPN Risk Report, commissioned by Cybersecurity Insiders, which highlights the widespread security, user experience and operational challenges posed by VPN services.
The findings in the Zscaler report are based on insights taken from a survey of 600+ IT and security professionals. The results are stark: maintaining security and compliance is the single largest challenge (56%) facing enterprises using VPNs today. Meanwhile, the risks of supply chain attacks and ransomware are top of mind for these companies with 92% of respondents concerned that persistent VPN vulnerabilities will lead to ransomware attacks. These combined risks have culminated in a profound shift in thinking around enterprise VPNs with 65% of organisations planning to replace their VPNs within the year — while 81% plan to implement a zero trust everywhere strategy.
Initially built for remote access, VPNs have become a liability for corporate networks, exposing IT assets and sensitive data caused by over-privileged access, vulnerabilities, and an ever-growing attack surface. VPN, both physical and virtual, is the opposite of Zero Trust as by architecture it brings the remote users as well as attackers on the network. In addition, VPNs hinder operational efficiency with slow performance, frequent connection issues, and complex maintenance, burdening IT teams and disrupting employee productivity. The report aims to shed light on these concerns with trusted insights from industry peers, while arming enterprises with guidance to enable secure access across today’s hybrid work environments.
Security and usability concerns
Security and compliance risks ranked as the top VPN challenges at 54%, reflecting growing concerns that VPNs are inadequate and obsolete for defending against today’s evolving cyber threats. Cyber criminals are now leveraging AI to pinpoint vulnerabilities by using GPT models to run queries focused on identifying weaknesses in VPNs — for example, performing reconnaissance by simply asking a generative AI chatbot to return all current CVEs for VPN products in use by an enterprise. Tasks that once required weeks or even months can now be accomplished in just minutes.
Recently, a foreign cyberespionage group exploited vulnerabilities in a popular VPN, gaining unauthorised access to corporate networks. This incident, one of several in recent months, reinforces how VPN vulnerabilities continue to be a key target in cyberattacks, underscoring the urgent need to transition from legacy security models to a Zero Trust architecture. 92% of survey respondents reported that they are concerned about being targeted by ransomware attacks due to unpatched VPN vulnerabilities.
“Attackers will increasingly leverage AI for automated reconnaissance, intelligent password spraying, and rapid exploit development, allowing them to compromise VPNs at scale,” said Deepen Desai, CSO, Zscaler. “To address these risks, organisations should shift to a Zero Trust everywhere approach. This approach eliminates the need for internet-exposed assets like VPNs (physical and virtual), while drastically reducing the attack surface and potential impact of breaches. It’s encouraging to see that 81% of organisations are planning to implement Zero Trust within the next year—a critical step in mitigating the security risks posed by legacy technologies like VPNs.”
The rise of critical, scannable VPN vulnerabilities
To understand how attackers exploit vulnerabilities in Internet-connected VPN infrastructure, ThreatLabz also analysed VPN Common Vulnerabilities and Exposures (CVEs) from 2020-2025, based on data from the MITRE CVE Program. In general, vulnerability reporting is a good thing, as rapid vulnerability disclosure and patching helps the entire ecosystem improve cyber hygiene, foster community collaboration, and quickly respond to new vectors of attack. No type of software is immune from vulnerabilities, nor should it be expected to be.
Over the sample period, VPN CVEs grew by 82.5% (early 2025 data has been removed for this portion of the analysis). In the past year, roughly 60% of the vulnerabilities indicated a high or critical CVSS score — indicating a potentially serious risk to impacted organisations. ThreatLabz also found that vulnerabilities allowing remote code execution (RCE) were the most prevalent kind, in terms of the impact or capabilities they can grant to attackers. These types of vulnerabilities are typically serious, as they can grant attackers the ability to execute arbitrary code on the system. The bulk of VPN CVEs are leaving their customers vulnerable to critical exploits that attackers can, and often do, exploit.
Unwelcome party guests
VPNs provide broad access following authentication, extending user access to contractors, external partners and vendors. While great in theory connectivity tools, attackers can easily exploit weak or stolen credentials, misconfigurations, and unpatched vulnerabilities to compromise these trusted connections.
The report shows that 93% of organisations now worry about backdoor vulnerabilities stemming from third-party access. In February 2024, a financial services company suffered a data breach exposing nearly 20,000 clients’ personal information, caused by vulnerabilities in their VPN. This incident highlights how VPNs create exploitable entry points into corporate networks.
Zero Trust everywhere
Legacy or traditional vendors are attempting to adapt to the evolving landscape by deploying virtual machines in the Cloud and labelling them as Zero Trust solutions. Unfortunately, a VPN hosted in the Cloud remains, at its core, a VPN and does not adhere to true Zero Trust principles. Illustrating this point, the industry has recently witnessed massive spikes in scanning activity targeting tens of thousands of publicly searchable VPN IP addresses hosted by at least one of the largest security vendors.
Historically, this kind of activity has indicated some likelihood that attackers may be preparing to exploit yet-to-be-disclosed vulnerabilities in targeted VPN assets. If you are reachable, you are breachable — which is why, from an architectural perspective, Cloud-based VPN technology can never achieve true zero trust principles, no matter the branding.
The switch to a holistic Zero Trust architecture is rapidly gaining momentum and replacing outdated legacy security tools due to the proven security benefits and efficiency gains for adopting organisations. The report found 81% of organisations are adopting, or planning to adopt, a Zero Trust architecture within the next year and by extending this architecture to users, applications and workloads, enterprises are ensuring that Zero Trust is truly everywhere enabling VPN-free resilient security.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.