A new report from Zscaler ThreatLabz, commissioned by Cybersecurity Insiders, reveals that a majority of organisations (56%) believe security and compliance risks have rendered traditional VPNs obsolete.
The Zscaler ThreatLabz 2025 VPN Risk Report, based on a survey of over 600 IT and security professionals, highlights how unpatched VPN vulnerabilities are fuelling ransomware attacks and accelerating the adoption of Zero Trust security architectures.
A significant 92% of organisations are worried about ransomware attacks exploiting VPN vulnerabilities and 93% fear backdoor vulnerabilities from third-party VPN connections. The concerns are prompting a rapid shift away from VPNs, with 65% of organisations planning to replace them within the next year. Furthermore, 81% are in the process of, or planning to implement, a Zero Trust strategy.
The report argues that VPNs, initially designed for remote access, now present a significant security liability. Their architecture, which grants broad network access after authentication, exposes IT assets and sensitive data due to over-privileged access, vulnerabilities and an expanding attack surface.
This is fundamentally at odds with the Zero Trust principle of ‘never trust, always verify’. VPNs are also criticised for operational inefficiencies, including slow performance, frequent connection issues and complex maintenance.
Zscaler’s ThreatLabz analysis of Common Vulnerabilities and Exposures (CVEs) from 2020-2025 further underscores the growing risk. VPN CVEs increased by 82.5% over this period, with approximately 60% of recent vulnerabilities classified as high or critical severity.
Remote Code Execution (RCE) vulnerabilities, which allow attackers to execute arbitrary code on a system, were found to be the most prevalent type, posing a severe threat.
The report also highlights the dangers of third-party VPN access. By granting broad access to contractors, partners and vendors, VPNs create potential entry points for attackers who can exploit weak or stolen credentials, misconfigurations and unpatched vulnerabilities. A recent data breach at a financial services company, resulting from a VPN vulnerability, exposed the personal information of nearly 20,000 clients, demonstrating the real-world consequences of these risks.
In response to these challenges, organisations are increasingly turning to Zero Trust architectures. While some vendors are attempting to market cloud-hosted VPNs as Zero Trust solutions, the report argues that a VPN, regardless of its deployment, cannot adhere to true Zero Trust principles.
The Zscaler report advocates for a holistic Zero Trust approach, extending to users, applications and workloads. The architecture minimises the attack surface, blocks threats, prevents lateral movement, enhances data security and simplifies operations. By implementing continuous verification and least-privileged access, organisations can replace the security risks associated with VPNs with a more robust and resilient security framework.
“Attackers will increasingly leverage AI for automated reconnaissance, intelligent password spraying, and rapid exploit development, allowing them to compromise VPNs at scale,” said Deepen Desai, CSO at Zscaler.
“To address these risks, organisations should shift to a Zero Trust everywhere approach. This approach eliminates the need for Internet-exposed assets like VPNs (physical and virtual), while drastically reducing the attack surface and potential impact of breaches. It’s encouraging to see that 81% of organisations are planning to implement Zero Trust within the next year – a critical step in mitigating the security risks posed by legacy technologies like VPNs.”
