2024 VPN Risk Report [Zscaler ThreatLabz]

Today’s distributed and cloud-centric work environment has triggered a shift in access methods from traditional virtual private networks (VPNs) to more robust security frameworks like zero trust. Traditionally, VPNs provided essential remote access capabilities to connect users or entire office sites. However, the growing sophistication of cyberthreats alongside the expansion of remote workforces and cloud technologies have exposed significant vulnerabilities in VPNs. Due to their legacy architecture, VPNs grant overly broad network access once credentials are verified, significantly increasing the risk of cyberattacks if those credentials are compromised.

Recent high-profile exploits of VPN appliances have highlighted critical vulnerabilities (notably CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) affecting essential sectors, including US defense. These vulnerabilities enable attackers to bypass authentication, execute commands with elevated privileges, and maintain persistence after device resets. In response, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to federal agencies to immediately disconnect affected VPN devices due to substantial security risks.

Through Executive Order 14028, the US government now mandates the adoption of zero trust architectures to enhance cybersecurity, moving away from traditional VPNs. This directive, part of a comprehensive strategy to fortify national cybersecurity, instructs federal agencies to implement zero trust, which verifies every access request irrespective of origin. The Office of Management and Budget (OMB) further supports this initiative with a detailed Federal Zero Trust Strategy, underscoring the shift from VPN-based implicit trust within network perimeters to continuous verification of any and all access requests. These directives and recommendations reflect a consensus within the cybersecurity community that zero trust provides a more robust defense against complex and evolving cyberthreats, a necessity underscored by the recent vulnerabilities and exploits related to traditional VPNs.

As a result, organizations are rapidly adopting zero trust models, which do not inherently trust any user or device inside or outside the network perimeter and require granular verification for every access request. This model is particularly effective in preventing lateral movement within networks—an exploit that attackers often use to deepen their intrusion after gaining initial access.

Based on a survey of 647 IT professionals and cybersecurity experts, this report explores the multifaceted security and user experience challenges of VPNs to reveal the complexity of today’s access management, vulnerabilities to various cyberattacks, and their potential to impair organizations’ broader security posture. The report also outlines more advanced security models, particularly zero trust, which has firmly established itself as a robust and future-proof framework to secure and accelerate digital transformation.

We are grateful to Zscaler for contributing to this VPN risk survey. Their expertise in zero trust and secure access solutions has significantly enriched our findings. We are confident that the insights from this report will be an essential resource for IT and cybersecurity professionals on your journey toward zero trust security.

Please download the full report by completing the form on the right.

More Popular Resources