The Big Idea: VPNs Are No Longer the Backbone of Secure Access
Virtual private networks (VPNs) were the standard for remote connectivity for more than two decades. But as enterprises have shifted to hybrid work and cloud-first operations, the weaknesses of VPNs have become impossible to ignore. We found that in just one year, more than half of organizations suffered attacks tied directly to VPN vulnerabilities.
Attackers are increasingly using zero-day vulnerabilities, stolen credentials, and AI-powered reconnaissance to exploit these outdated access solutions and infiltrate networks. It’s no wonder the vast majority of organizations now plan to adopt a zero trust strategy by 2026.
VPNs accelerate risk across every dimension
The report’s global survey of 632 IT and cybersecurity professionals revealed four defining trends:
- VPN obsolescence is accelerating. A massive 65% of enterprises intend to replace their VPNs within a year—23% more than last year’s report.
- VPN exploitation is escalating. This year, 56% of organizations saw VPN-related breaches, and 92% worry VPNs expose them to ransomware.
- VPN frustrations are boiling over. 51% of organizations say their VPNs provide poor user experiences, and 37% complain of high costs.
- Zero trust is rapidly replacing VPNs. Nearly all organizations (96%) have already implemented, are planning, or have bought into a zero trust strategy.
VPNs increase the likelihood and blast radius of attacks
Ransomware groups have learned that VPNs are low-hanging fruit, making them attractive targets. Unpatched devices and implicit trust models allow attackers to rapidly deploy ransomware and other malware as well as perform unhindered lateral movement.
In response, some legacy VPN vendors have rebranded cloud-delivered virtual machines as zero trust solutions. Architecturally, however, cloud-hosted VPNs are still internet-connected services with public IP addresses that attackers can find and breach.
Now, 71% of respondents rank lateral movement as a top concern, as VPNs’ implicit trust models mean one compromised user can effectively breach an entire environment. Attackers can then use their broad network access to escalate privileges and steal sensitive data before they are detected.
Zero trust is gaining decisive momentum
Most organizations recognize that VPNs can no longer support their security and access needs. Growing vulnerabilities, poor user experiences, and maintenance demands are pushing organizations away from VPNs at a historic rate, and toward modern secure access solutions like zero trust network access (ZTNA).
To shore up the weaknesses of legacy VPN architectures, the overwhelming majority (96%) of organizations are now considering or actively pursuing a zero trust strategy in the near future.
The zero trust vs. VPN debate is over
VPNs once defined remote access. Today, they define risk. Traditional perimeters have collapsed, and attackers are exploiting every gap, from unpatched CVE chains to third-party backdoors.
Our findings make one thing clear: enterprises must replace VPNs with zero trust architectures to stay resilient against today’s sophisticated threats.
Download the full Zscaler ThreatLabz 2025 VPN Risk Report for expanded insights, trends, and analysis, including:
- The most severe VPN exploits, from remote code execution to authentication bypass
- What led to some of the year’s high-profile VPN-related breaches
- Business risks during M&A and third-party access, from inherited vulnerabilities to backdoors in supplier VPNs
- Real-world case studies like ManPower Group, which cut help desk tickets by 97% after replacing VPNs
- Top 7 VPN risk predictions for 2025 and beyond from our expert threat research team
- Best practices your organization can implement today to eliminate critical VPN risks