Significant Vulnerabilities in VPNs Exposed During RSA Conference 2025
At the recently held RSA Conference in 2025, discussions centered around cybersecurity highlighted troubling vulnerabilities inherent in traditional Virtual Private Networks (VPNs). Notably, Deepen Desai, Chief Security Officer at Zscaler, emphasized during an interview that VPNs are fundamentally flawed. "VPNs are exposed by design," he stated, warning that any exposed network is at risk of exploitation.
Desai’s insights coincide with the release of Zscaler’s 2025 VPN Risk Report, an alarming overview of how legacy remote access protocols are inadequately securing modern enterprises. This report reveals a substantial shift in organizational strategies, with 65% of companies planning to phase out VPNs within a year and 81% transitioning towards Zero Trust architectures. Moreover, 92% of respondents expressed concern that unpatched VPNs could facilitate ransomware attacks, underscoring a growing recognition of the dangers associated with outdated security measures.
Critically, Desai pointed out that the principal issue with VPNs lies not in their configuration but rather in their operational design. "They work exactly as intended by placing users on the network, and that is the flaw," he explained. This structural weakness transforms VPNs into potential gateways for attackers once they gain access to the network.
The implications of such vulnerabilities have far-reaching consequences. Between 2020 and 2025, Zscaler’s ThreatLabz identified over 400 Common Vulnerabilities and Exposures (CVEs) linked to VPN devices. Recent years have seen a worrying trend, with 60% of new vulnerabilities rated as high or critical in 2024 alone. These vulnerabilities can allow attackers to bypass authentication processes, execute code remotely, or hijack sessions. Desai highlighted that cybercriminals are exploiting these weaknesses at an alarming pace, often reverse-engineering vendor patches within mere hours of their release.
One critical concern is the unrestricted access offered by VPNs once a user is authenticated. "A compromised device exposes everything your VPN can reach on the network," Desai warned, describing the potential blast radius of such an attack. The absence of built-in segmentation and identity-aware access exacerbates this risk, enabling lateral movement within organizational networks.
Desai’s observations extend beyond external threats; he also highlighted the "quiet failure" of VPNs, referring to their detrimental impact on IT resources and user productivity. According to Zscaler’s report, more than half of surveyed teams reported chronic outages and support escalations tied to VPNs, creating burdensome demands on internal resources.
Further complicating the landscape is the exposure to third-party risks through contractor VPN usage. When external stakeholders connect via VPN, organizations may inadvertently inherit vulnerabilities from their environments. Recent breaches involving third-party connections underscore this risk, amplifying concerns related to mergers and acquisitions, where attackers specifically target weaker entities within a newly merged structure.
With the transition towards a VPN-free future, organizations are increasingly considering alternatives like Zscaler Private Access (ZPA). Desai cited the case of ManpowerGroup, which completed its shift in just 18 days, resulting in significant enhancements such as a reduction in helpdesk tickets.
As the cybersecurity landscape evolves, the necessity for robust security frameworks becomes increasingly apparent. Employing strategies like Zero Trust can reinforce defenses against contemporary threats by limiting network access based on identity rather than the outdated concept of being "on the network." For organizations determined to enhance their cybersecurity posture, understanding these risks—and adapting to mitigate them—is not merely advisable, but imperative.
In a rapidly changing threat environment, the future of secure access increasingly hinges on the dismantling of traditional VPN structures in favor of more resilient and modern security architectures. Through proactive measures, businesses can fortify themselves against the evolving tactics of cyber adversaries, ultimately safeguarding their sensitive data and critical systems.
