Zscaler ThreatLabz 2025 VPN Risk Report: Over Half of Organizations Say Security and Compliance Risks Make VPNs Obsolete
Zscaler (NASDAQ: ZS) has released its ThreatLabz 2025 VPN Risk Report, revealing critical security concerns with traditional VPN usage. The study, based on 600+ IT professionals' insights, shows that 56% of organizations consider security and compliance their biggest VPN challenge.
Key findings indicate that 92% of organizations worry about ransomware attacks due to VPN vulnerabilities, while 93% fear backdoor vulnerabilities from third-party VPN connections. The report highlights an 82.5% growth in VPN vulnerabilities from 2020-2024, with 60% rated as high or critical severity.
In response to these challenges, 65% of organizations plan to replace their VPNs within the year, and 81% are moving towards implementing zero trust architecture. The shift comes as VPNs increasingly become liability points for corporate networks, exposing IT assets and sensitive data through over-privileged access and an expanding attack surface.
Zscaler (NASDAQ: ZS) ha pubblicato il suo rapporto sulla rischiosità delle VPN per il 2025, rivelando preoccupazioni critiche per la sicurezza nell'uso delle VPN tradizionali. Lo studio, basato sulle opinioni di oltre 600 professionisti IT, mostra che il 56% delle organizzazioni considera la sicurezza e la conformità la loro maggiore sfida con le VPN.
I risultati chiave indicano che il 92% delle organizzazioni è preoccupato per gli attacchi ransomware a causa delle vulnerabilità delle VPN, mentre il 93% teme vulnerabilità di backdoor da connessioni VPN di terze parti. Il rapporto evidenzia una crescita dell'82,5% delle vulnerabilità delle VPN dal 2020 al 2024, con il 60% classificato come grave o critico.
In risposta a queste sfide, il 65% delle organizzazioni prevede di sostituire le proprie VPN entro l'anno, e l'81% si sta orientando verso l'implementazione di un'architettura zero trust. Questo cambiamento avviene mentre le VPN diventano sempre più punti di responsabilità per le reti aziendali, esponendo beni IT e dati sensibili attraverso accessi eccessivi e una superficie di attacco in espansione.
Zscaler (NASDAQ: ZS) ha lanzado su Informe de Riesgo de VPN ThreatLabz 2025, revelando preocupaciones críticas de seguridad sobre el uso de VPN tradicionales. El estudio, basado en las opiniones de más de 600 profesionales de TI, muestra que el 56% de las organizaciones considera que la seguridad y el cumplimiento son su mayor desafío con las VPN.
Los hallazgos clave indican que el 92% de las organizaciones se preocupa por los ataques de ransomware debido a las vulnerabilidades de VPN, mientras que el 93% teme las vulnerabilidades de puerta trasera de conexiones VPN de terceros. El informe destaca un crecimiento del 82,5% en las vulnerabilidades de VPN de 2020 a 2024, con el 60% clasificado como de alta o crítica gravedad.
En respuesta a estos desafíos, el 65% de las organizaciones planea reemplazar sus VPN en el transcurso del año, y el 81% se está moviendo hacia la implementación de una arquitectura de confianza cero. Este cambio se produce a medida que las VPN se convierten cada vez más en puntos de responsabilidad para las redes corporativas, exponiendo activos de TI y datos sensibles a través de accesos excesivos y una superficie de ataque en expansión.
Zscaler (NASDAQ: ZS)는 2025년 VPN 위험 보고서를 발표하며 전통적인 VPN 사용에 대한 중요한 보안 우려를 드러냈습니다. 600명 이상의 IT 전문가의 의견을 바탕으로 한 이 연구는 56%의 조직이 보안 및 규정 준수를 VPN의 가장 큰 도전 과제로 보고 있음을 보여줍니다.
주요 결과는 92%의 조직이 VPN 취약점으로 인한 랜섬웨어 공격에 대해 걱정하고 있으며, 93%는 제3자 VPN 연결로 인한 백도어 취약점을 우려하고 있음을 나타냅니다. 이 보고서는 2020년부터 2024년까지 VPN 취약점이 82.5% 증가했으며, 그 중 60%가 높은 또는 치명적인 심각도로 평가되었다고 강조합니다.
이러한 도전에 대응하기 위해 65%의 조직이 1년 이내에 VPN을 교체할 계획이며, 81%은 제로 트러스트 아키텍처 구현으로 나아가고 있습니다. 이 변화는 VPN이 기업 네트워크의 책임 지점으로 점점 더 부각되면서, 과도한 접근 권한과 확장하는 공격 표면을 통해 IT 자산과 민감한 데이터를 노출시키고 있습니다.
Zscaler (NASDAQ: ZS) a publié son Rapport sur les Risques VPN ThreatLabz 2025, révélant des préoccupations critiques en matière de sécurité concernant l'utilisation des VPN traditionnels. L'étude, basée sur les avis de plus de 600 professionnels de l'informatique, montre que 56% des organisations considèrent la sécurité et la conformité comme leur plus grand défi en matière de VPN.
Les résultats clés indiquent que 92% des organisations s'inquiètent des attaques par ransomware en raison des vulnérabilités des VPN, tandis que 93% craignent les vulnérabilités de porte dérobée liées aux connexions VPN tierces. Le rapport souligne une croissance de 82,5% des vulnérabilités VPN entre 2020 et 2024, dont 60% sont classées comme ayant une gravité élevée ou critique.
En réponse à ces défis, 65% des organisations prévoient de remplacer leurs VPN dans l'année, et 81% s'orientent vers la mise en œuvre d'une architecture de confiance zéro. Ce changement survient alors que les VPN deviennent de plus en plus des points de responsabilité pour les réseaux d'entreprise, exposant les actifs informatiques et les données sensibles à travers des accès excessifs et une surface d'attaque en expansion.
Zscaler (NASDAQ: ZS) hat seinen ThreatLabz 2025 VPN Risikobericht veröffentlicht, der kritische Sicherheitsbedenken beim Einsatz traditioneller VPNs offenbart. Die Studie, die auf den Erkenntnissen von über 600 IT-Profis basiert, zeigt, dass 56% der Organisationen Sicherheit und Compliance als ihre größte Herausforderung mit VPNs ansehen.
Wichtige Ergebnisse zeigen, dass 92% der Organisationen sich wegen der Schwachstellen von VPNs um Ransomware-Angriffe sorgen, während 93% vor Hintertür-Schwachstellen bei Drittanbieter-VPN-Verbindungen Angst haben. Der Bericht hebt ein Wachstum von 82,5% bei VPN-Schwachstellen von 2020 bis 2024 hervor, wobei 60% als hoch oder kritisch eingestuft werden.
Als Reaktion auf diese Herausforderungen planen 65% der Organisationen, ihre VPNs innerhalb eines Jahres zu ersetzen, und 81% bewegen sich in Richtung der Implementierung einer Zero-Trust-Architektur. Dieser Wandel erfolgt, da VPNs zunehmend zu Haftungspunkten für Unternehmensnetzwerke werden und IT-Vermögenswerte sowie sensible Daten durch übermäßige Zugriffsrechte und eine erweiterte Angriffsfläche exponiert werden.
- None.
- None.
Annual Report Highlights How Unpatched VPNs Fuel Ransomware Attacks, Underscoring the Urgency for Zero Trust Security
Key Findings:
92% of organizations are concerned about ransomware attacks due to VPN vulnerabilities93% of organizations fear backdoor vulnerabilities from third-party VPN connections81% of organizations are adopting or planning to adopt zero trust within the next year
SAN JOSE, Calif., April 10, 2025 (GLOBE NEWSWIRE) -- Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today published the Zscaler ThreatLabz 2025 VPN Risk Report, commissioned by Cybersecurity Insiders, which highlights the widespread security, user experience and operational challenges posed by VPN services. The findings are based on insights from a survey of 600+ IT and security professionals. The results are stark: maintaining security and compliance is the single largest challenge (
Initially built for remote access, VPNs have become a liability for corporate networks, exposing IT assets and sensitive data due to over-privileged access, vulnerabilities, and an ever-growing attack surface. VPN, both physical and virtual, is opposite of Zero Trust as by architecture it brings the remote users as well as attackers on the network. Additionally, VPNs hinder operational efficiency with slow performance, frequent connection issues, and complex maintenance, burdening IT teams and disrupting employee productivity. The report aims to shed light on these concerns with trusted insights from industry peers, while arming enterprises with guidance to enable secure access across today's hybrid work environments.
Security and usability concerns
Security and compliance risks ranked as the top VPN challenges at
Recently, a foreign cyberespionage group exploited vulnerabilities in a popular VPN, gaining unauthorized access to corporate networks. This incident, one of several in recent months, reinforces how VPN vulnerabilities continue to be a key target in cyberattacks, underscoring the urgent need to transition from legacy security models to a Zero Trust architecture. A staggering
"Attackers will increasingly leverage AI for automated reconnaissance, intelligent password spraying, and rapid exploit development, allowing them to compromise VPNs at scale," said Deepen Desai, CSO at Zscaler. "To address these risks, organizations should shift to a Zero Trust everywhere approach. This approach eliminates the need for internet-exposed assets like VPNs (physical and virtual), while drastically reducing the attack surface and potential impact of breaches. It’s encouraging to see that
The rise of critical, scannable VPN vulnerabilities
To understand how attackers exploit vulnerabilities in internet-connected VPN infrastructure, ThreatLabz also analyzed VPN Common Vulnerabilities and Exposures (CVEs) from 2020-2025, based on data from the MITRE CVE Program. In general, vulnerability reporting is a good thing, as rapid vulnerability disclosure and patching helps the entire ecosystem improve cyber hygiene, foster community collaboration, and quickly respond to new vectors of attack. No type of software is immune from vulnerabilities, nor should it be expected to be.
Figure 1: The impact type of VPN CVEs from 2020-2024, covering remote code execution (RCE), privilege escalation, DoS, sensitive information leakage, and authentication bypass.
Over the sample period, VPN CVEs grew by
Unwelcome party guests
VPNs provide broad access following authentication, extending user access to contractors, external partners and vendors. While great in theory connectivity tools, attackers can easily exploit weak or stolen credentials, misconfigurations, and unpatched vulnerabilities to compromise these trusted connections. The report shows,
Out with the old, in with the new - Zero Trust Everywhere
Legacy or traditional vendors are attempting to adapt to the evolving landscape by deploying virtual machines in the cloud and labeling them as Zero Trust solutions. Unfortunately, a VPN hosted in the cloud remains, at its core, a VPN and does not adhere to true Zero Trust principles. Illustrating this point, the industry has recently witnessed massive spikes in scanning activity targeting tens of thousands of publicly searchable VPN IP addresses hosted by at least one of the largest security vendors. Historically, this kind of activity has indicated some likelihood that attackers may be preparing to exploit yet-to-be-disclosed vulnerabilities in targeted VPN assets. Case in point: if you are reachable, you are breachable — which is why, from an architectural perspective, cloud-based VPN technology can never achieve true zero trust principles, no matter the branding.
The switch to a holistic Zero Trust architecture is rapidly gaining momentum and replacing outdated legacy security tools due to the proven security benefits and efficiency gains for adopting organizations. The report found
- Minimizes the Attack Surface: Replaces network-based access with Zero Trust policies and identity-based controls to secure users and third parties.
- Blocks Threats: Prevents initial compromise through robust authentication, identity security, and least-privileged Zero Trust Access.
- Prevents Lateral Movement: Uses Zero Trust segmentation to contain threats and stop unauthorized spread within networks.
- Enhances Data Security: Enforces context-aware, integrated Zero Trust policies to protect sensitive information.
- Simplifies Operations: Replaces VPNs with AI-driven security, continuous monitoring, and automated policy enforcement, in addition to uninterrupted access with business continuity.
By adopting these best practices, organizations can replace VPN security risks with a robust Zero Trust framework, enabling continuous verification, least-privileged access, and proactive threat prevention.
The Zscaler ThreatLabz 2025 VPN Risk Report provides additional insights and best practices to help organizations effectively prevent attacks and ransomware. Download your copy here.
Research Methodology
This report is based on a comprehensive survey of 632 IT and cybersecurity professionals conducted by Cybersecurity Insiders. The study examines VPN security risks, enterprise access trends, and the adoption of zero trust architectures. Respondents include executives, IT security practitioners, and network infrastructure leaders across various industries. The findings provide a data-driven perspective on the decline of VPNs and the shift to zero trust, offering critical insights for organizations modernizing their access security strategies.
About ThreatLabz
ThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats and ensuring that the thousands of organizations using the global Zscaler platform are always protected. In addition to malware research and behavioral analysis, team members are involved in the research and development of new prototype modules for advanced threat protection on the Zscaler platform, and regularly conduct internal security audits to ensure that Zscaler products and infrastructure meet security compliance standards. ThreatLabz regularly publishes in-depth analyses of new and emerging threats on its portal, research.zscaler.com.
About Zscaler
Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange™ platform protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SASE-based Zero Trust Exchange is the world’s largest in-line cloud security platform.
Media Contact
Natalia Wodecki
press@zscaler.com
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/6c9af7e7-b67b-46d5-bfeb-c62a453b507a
FAQ
What are the main security risks of VPNs according to Zscaler's 2025 report?
How many organizations are planning to replace their VPNs according to the ZS report?
What percentage increase in VPN vulnerabilities was observed from 2020-2024?
How many IT professionals were surveyed in Zscaler's 2025 VPN Risk Report?
What is the primary challenge organizations face with VPNs in 2025?
