The Zscaler ThreatLabz 2025 VPN Risk Report highlights significant concerns regarding the security of virtual private networks (VPNs), revealing that 92% of organisations are worried about ransomware attacks stemming from VPN vulnerabilities. The findings reveal a critical shift in how enterprises view VPNs as security tools.
Figure 1: Biggest challenges with VPN solutions
The report outlines that maintaining security and compliance is the foremost challenge facing 56% of enterprises using VPNs. With the evolving threat landscape, the risks associated with supply chain attacks and ransomware have become increasingly prominent, prompting 65% of organisations to consider replacing their VPNs in the coming year. In addition, 81% of organisations plan to adopt a zero trust security model within the next year, underscoring a significant pivot away from traditional VPN reliance.
Originally designed for remote access, VPNs have become liabilities, exposing networks to potential attacks through over-privileged access and a growing attack surface. VPNs inherently contradict zero trust principles by granting broad access to users, including potential attackers, once authenticated. This architecture not only increases risk but also hampers operational efficiency due to slow performance and maintenance complexities.
“Attackers will increasingly leverage AI for automated reconnaissance, intelligent password spraying, and rapid exploit development, allowing them to compromise VPNs at scale,” says Deepen Desai, CSO at Zscaler.
He advocates for a shift to a zero trust approach, which eliminates the need for internet-exposed assets like VPNs, thereby significantly reducing the attack surface and the potential impact of breaches.
The report also highlights that 93% of organisations are concerned about backdoor vulnerabilities from third-party VPN connections. Recent incidents, such as a high-profile data breach in the financial sector caused by VPN vulnerabilities, underscore the urgency for organisations to transition to more secure architectures.
Analysis of VPN vulnerabilities from 2020 to 2025 shows a staggering 82.5% increase in reported Common Vulnerabilities and Exposures (CVEs), with about 60% of these vulnerabilities classified as high or critical risk. Vulnerabilities allowing remote code execution (RCE) were particularly concerning, as they grant attackers extensive capabilities.
With the rise in cyber threats, organisations are recognising the limitations of legacy VPN solutions. The report indicates a growing consensus that a holistic zero trust architecture can offer enhanced security compared to outdated systems. By adopting zero trust principles, organisations can minimise their attack surface, block threats, prevent lateral movement within networks, and enhance data security.
In conclusion, as organisations increasingly face cyber threats, the transition to a zero trust security model appears not only beneficial but necessary for safeguarding their networks against evolving vulnerabilities associated with traditional VPN technologies.