Zscaler report urges shift from VPNs to Zero Trust

Zscaler has released its 2025 ThreatLabz VPN Risk Report, which highlights the challenges and security risks associated with VPN usage in Australia and outlines a shift toward Zero Trust architectures.

The report indicates a marked increase in VPN usage among organisations and individuals as they strive to protect against cyber threats. However, it also highlights significant concerns about VPNs' role in leaving enterprises vulnerable to cyberattacks. According to the report, 92% of organisations are concerned about the threat of ransomware attacks due to VPN vulnerabilities, while 93% fear backdoor entry points from third-party VPN connections.

The report finds that the increasing reliance on VPNs has not addressed the security issues these tools were originally intended to mitigate. "Initially built for remote access, VPNs have become a liability for corporate networks, exposing IT assets and sensitive data due to over-privileged access, vulnerabilities, and an ever-growing attack surface," the report notes.

Deepen Desai, Chief Information Security Officer at Zscaler, stated, "Attackers will increasingly leverage AI for automated reconnaissance, intelligent password spraying, and rapid exploit development, allowing them to compromise VPNs at scale." Desai recommends a shift to Zero Trust to mitigate these risks, saying, "To address these risks, organisations should shift to a Zero Trust everywhere approach. This approach eliminates the need for internet-exposed assets like VPNs (physical and virtual), while drastically reducing the attack surface and potential impact of breaches."

The report was informed by a survey of over 600 IT and security professionals, revealing that maintaining security and compliance is the primary challenge facing enterprises using VPNs today. It points out that 81% of these organisations are already adopting or planning to implement Zero Trust architectures within the next year, marking a significant departure from legacy systems.

Among the highlighted challenges with VPNs are slow performance, frequent connection issues, and complex maintenance, all of which can hinder operational efficiency and employee productivity.

A recent incident involving a foreign cyberespionage group exploiting VPN vulnerabilities has reinforced the need for a Zero Trust approach. This incident led to unauthorised access to corporate networks, underscoring ongoing security challenges.

The ThreatLabz team's analysis on VPN Common Vulnerabilities and Exposures (CVEs) indicates vulnerabilities have grown by 82.5% from 2020 to 2024. Approximately 60% of these were deemed high or critical, illustrating the potential risks to organisations. Remote code execution vulnerabilities were particularly common and serious.

The report also raises concerns about VPN-provided broad access to multiple external parties, which attackers can exploit through weak credentials and unpatched vulnerabilities. This has resulted in incidents such as a data breach at a financial services company exposing sensitive client information.

Traditional vendors adapting to the changing landscape by deploying virtual machines under a Zero Trust guise are reportedly failing to meet true Zero Trust principles. Attackers continue to target publicly accessible VPN IP addresses, suggesting the ongoing risk of exploiting yet-to-be-disclosed vulnerabilities.

As organisations increasingly adopt a holistic Zero Trust architecture, they replace legacy security tools, seeking to secure users, applications, and workloads through more comprehensive security measures. The report notes an 81% adoption rate or intent among organisations to move to a Zero Trust framework within the next year.

The report concludes by emphasising the importance of adopting Zero Trust best practices to replace VPN-related security risks with a framework that allows continuous verification and proactive threat prevention.