Zscaler has released its 2025 ThreatLabz VPN Risk Report, highlighting growing concerns over the security of VPN usage in Australia. The report reveals a strong push among organisations toward adopting Zero Trust security frameworks to protect against modern cyber threats.
The report shows that VPN use is still widespread among both companies and individuals looking to defend against cyberattacks. However, it also warns that VPNs may be doing more harm than good. According to the survey, 92% of organisations are worried about ransomware threats caused by VPN vulnerabilities. In addition, 93% are concerned that third-party VPN connections could create backdoors into their systems.
Initially designed to support remote work, VPNs are now viewed as a weak link in corporate security. The report states that VPNs provide too much access, contain unpatched flaws, and increase the potential attack surface, putting sensitive data and IT assets at risk.
Deepen Desai, Chief Information Security Officer at Zscaler, emphasized the growing threat. “Attackers are using AI for faster and smarter attacks. They can now perform automated reconnaissance, intelligent password guessing, and rapid exploitation to break into VPNs at scale,” he said. Desai recommended switching to a Zero Trust model, which limits exposure and strengthens security. “With Zero Trust, there is no need for internet-facing tools like VPNs. It significantly reduces the risk of a breach,” he added.
The report is based on a survey of more than 600 IT and security professionals. It found that maintaining compliance and security is the biggest challenge for companies relying on VPNs. As a result, 81% of these organisations are already using or planning to adopt a Zero Trust approach in the next year.
Common complaints about VPNs include slow speeds, frequent disconnects, and difficult maintenance. These issues not only affect security but also reduce productivity.
A recent cyberattack by a foreign espionage group targeting VPN weaknesses has added urgency to the shift. The breach gave the attackers unauthorized access to corporate networks, exposing ongoing flaws in traditional VPN security.
The ThreatLabz team found that VPN-related vulnerabilities, or CVEs, grew by 82.5% between 2020 and 2024. Around 60% of these were ranked high or critical. Remote code execution was one of the most common and dangerous flaws.
The report also highlights that VPNs often give broad access to external users, which cybercriminals exploit through weak passwords or outdated software. One such breach at a financial firm exposed sensitive client data.
Some legacy vendors are attempting to rebrand old tools under a “Zero Trust” label by deploying virtual machines. However, the report criticizes these efforts as falling short of true Zero Trust principles. Attackers continue to scan the internet for accessible VPN IP addresses, seeking to exploit unknown flaws.
As more companies move toward comprehensive Zero Trust frameworks, they are replacing older tools and focusing on securing users, apps, and workloads through smarter, more proactive measures. The high adoption rate—81%—shows a clear trend toward stronger, modern cybersecurity strategies.
The report concludes by urging organisations to embrace true Zero Trust principles to eliminate VPN-related threats and adopt continuous verification to stop attacks before they succeed.
