Cloud security company Zscaler has released its ThreatLabz 2025 VPN Risk Report, commissioned by Cybersecurity Insiders. The report highlights the widespread security, user experience and operational challenges posed by VPN services.
The findings are based on insights from a survey of 600-plus IT and security professionals. The results are stark. Maintaining security and compliance is the single largest challenge (56%) facing enterprises using VPNs today.
Meanwhile, the risks of supply chain attacks and ransomware are top of mind for these companies with 92% of respondents concerned that persistent VPN vulnerabilities will lead to ransomware attacks. These combined risks have culminated in a profound shift in thinking around enterprise VPNs with 65% of organisations planning to replace their VPNs within the year, while 81% plan to implement a zero-trust everywhere strategy.
Initially built for remote access, VPNs have become a liability for corporate networks, exposing IT assets and sensitive data due to over-privileged access, vulnerabilities, and an ever-growing attack surface.
A VPN, both physical and virtual, is the opposite of zero-trust as by architecture, it brings remote users as well as attackers onto the network. Additionally, VPNs hinder operational efficiency with slow performance, frequent connection issues, and complex maintenance, burdening IT teams and disrupting employee productivity.
The report aims to shed light on these concerns with trusted insights from industry peers while arming enterprises with guidance to enable secure access across today’s hybrid work environments.
Security and usability concerns
Security and compliance risks ranked as the top VPN challenges at 54%, highlighting growing concerns that VPNs are inadequate and obsolete for defending against evolving cyber threats. Cybercriminals are now leveraging AI to pinpoint vulnerabilities by using GPT models to run queries focused on identifying weaknesses in VPNs. For instance, reconnaissance can be performed by simply asking a generative AI chatbot to return all current CVEs for VPN products in use by an enterprise. Tasks that once required weeks or even months can now be accomplished in just minutes.
Recently, a foreign cyberespionage group exploited vulnerabilities in a popular VPN, gaining unauthorised access to corporate networks. This incident, one of several in recent months, reinforces how VPN vulnerabilities continue to be a key target in cyberattacks, underscoring the urgent need to transition from legacy security models to a zero-trust architecture. A staggering 92% of survey respondents said they are concerned about being targeted by ransomware attacks due to unpatched VPN vulnerabilities.
“Attackers will increasingly leverage AI for automated reconnaissance, intelligent password spraying, and rapid exploit development, allowing them to compromise VPNs at scale,” said Zscaler CSO Deepen Desai. “To address these risks, organisations should shift to a zero-trust everywhere approach.”
“This approach eliminates the need for internet-exposed assets like VPNs (physical and virtual) while drastically reducing the attack surface and potential impact of breaches,” he added. “It’s encouraging to see that 81% of organisations are planning to implement zero trust within the next year- a critical step in mitigating the security risks posed by legacy technologies like VPNs.”
To understand how attackers exploit vulnerabilities in internet-connected VPN infrastructure, ThreatLabz also analysed VPN common vulnerabilities and exposures (CVEs) from 2020-2025 based on data from the MITRE CVE Program. In general, vulnerability reporting is a good thing, as rapid vulnerability disclosure and patching helps the entire ecosystem improve cyber hygiene, foster community collaboration, and quickly respond to new attack vectors. No type of software is immune from vulnerabilities, nor should it be expected to be.
Over the sample period, VPN CVEs grew by 82.5% (early 2025 data has been removed for this portion of the analysis). In the past year, roughly 60% of the vulnerabilities indicated a high or critical CVSS score, indicating a potentially serious risk to impacted organisations.
Moreover, ThreatLabz found that vulnerabilities enabling remote code execution (RCE) were the most prevalent in terms of the impact or capabilities they can grant to attackers. These types of vulnerabilities are typically serious, as they can grant attackers the ability to execute arbitrary code on the system. Put another way, far from being innocuous, the bulk of VPN CVEs are leaving their customers vulnerable to critical exploits that attackers can, and often do, exploit.
Unwelcome party guests
VPNs provide broad access following authentication, extending user access to contractors, external partners and vendors. While great in theory connectivity tools, attackers can easily exploit weak or stolen credentials, misconfigurations, and unpatched vulnerabilities to compromise these trusted connections.
The report shows 93% of organisations now worry about backdoor vulnerabilities stemming from third-party access. In February 2024, a financial services company suffered a data breach exposing nearly 20,000 clients’ personal information, caused by vulnerabilities in their VPN. This incident highlights how VPNs create exploitable entry points into corporate networks.
Legacy or traditional vendors are attempting to adapt to the evolving landscape by deploying virtual machines in the cloud and labelling them as zero-trust solutions. Unfortunately, a VPN hosted in the cloud remains, at its core, a VPN and does not adhere to true zero-trust principles.
Illustrating this point, the industry has recently witnessed massive spikes in scanning activity targeting tens of thousands of publicly searchable VPN IP addresses hosted by at least one of the largest security vendors.
Historically, this kind of activity has indicated some likelihood that attackers may be preparing to exploit yet-to-be-disclosed vulnerabilities in targeted VPN assets. Case in point: if you are reachable, you are breachable – which is why, from an architectural perspective, cloud-based VPN technology can never achieve true zero-trust principles, no matter the branding.
The switch to a holistic zero-trust architecture is rapidly gaining momentum and replacing outdated legacy security tools due to the proven security benefits and efficiency gains for adopting organisations.
The report found 81% of organisations are adopting, or planning to adopt, a zero-trust architecture within the next year and by extending this architecture to users, applications and workloads, enterprises are ensuring that zero-trust is truly everywhere enabling VPN-free resilient security that:
- Minimises the attack surface: Replaces network-based access with zero trust policies and identity-based controls to secure users and third parties.
- Blocks threats: Prevents initial compromise through robust authentication, identity security, and least-privileged zero-trust access.
- Prevents lateral movement: Uses zero-trust segmentation to contain threats and stop unauthorised spread within networks.
- Enhances data security: Enforces context-aware, integrated zero-trust policies to protect sensitive information.
- Simplifies operations: Replaces VPNs with AI-driven security, continuous monitoring, and automated policy enforcement, in addition to uninterrupted access with business continuity.
By adopting these best practices, organisations can replace VPN security risks with a robust zero-trust framework, enabling continuous verification, least-privileged access, and proactive threat prevention.
The Zscaler ThreatLabz 2025 VPN Risk Report provides additional insights and best practices to help organisations effectively prevent attacks and ransomware.
You can read the report here.
