The VPN break-in: Where the hidden tunnel leaks

February 2024: Reports of exploitation of security flaws in Ivanti Connect Secure Virtual Private Network (VPN) appliances appear. Also, Fortinet reveals a new critical security flaw in SSL VPNs.

April 2024: Cisco warns about brute-force attacks targeting various devices, including VPN services.

May 2024: TunnelVision pops. This VPN bypass technique and decloaking method allow threat actors to snoop on a victim’s network traffic, tricking VPN users into believing that their connections are secured and being ferried through an encrypted tunnel.

July 2024: The Qilin ransomware attacks. This involves infiltrating the target network via compromised credentials for a VPN portal that lacks Multi-Factor Authentication (MFA).

November 2024: Security firms notice that surveillance framework DeepData has been targeting some Windows VPN clients to extract usernames and passwords by abusing a zero-day vulnerability. Also, D-Link issues a warning to replace end-of-life VPN router models after discovering a critical, unauthenticated, remote code execution vulnerability.

December 2024: Researchers warn of the attack tool NachoVPN, which simulates some VPN servers and exploits vulnerabilities for privileged code execution.

January 2025: The Ivanti rampage continues. Reports of compromised VPN appliances and new malware, ‘Dryhook’ and ‘Phasejam,’ keep pouring in.

The list can go on and on, as can the threats. VPN can now very well stand for ‘Very Pale Network’, going by the interest in attack vectors and the ease and fragility that this part of an enterprise’s infrastructure has been serving up.

Big security firms have also recently observed zero-day vulnerabilities in their network security gateway areas, bringing to the front burner the possibility that an attacker can read certain information on Internet-connected gateways with remote access VPNs. There were warnings of attacks targeting the VPN devices of many security firms to infiltrate enterprise networks.

“Cybercriminals exploit VPN weaknesses, such as man-in-the-middle attacks, where unauthorised actors intercept and manipulate VPN communications.”- HUZEFA MOTIWALA, Senior Director – Technical Solutions (India and SAARC), Palo Alto Networks

The recent past has unfolded such dangers across the security industry spectrum—from Barracuda Networks and Check Point to Cisco, Fortinet, Ivanti, Palo Alto Networks, and VMware. Password spray attacks, crafted API requests, Flax Typhoon, bypass routes, and infiltration—the stripes vary, but the MO of these thieves is all about VPN.

According to the Check Point VPN Risk Report, 56% of organisations experienced one or more VPN-related cyberattacks in 2023—an increase from 45% the previous year, tells Harish Kumar GS, Head of Sales, India and South Asia, Check Point Software Technologies. “Hackers use advanced techniques, including AI-driven methods, to compromise user credentials and exploit weaknesses within VPN infrastructures. Furthermore, the rise of fake or poorly designed VPN services presents additional risks.”

What makes VPN threats worth the worry, though? Two things: a VPN’s criticality and plausible fragility.

VPN: It is Very Wary Because

Ironically, the very concept of VPN emerged with the need to provide secure communication using public telecommunications infrastructure but with the ability to safeguard privacy using a tunnelling protocol and security measures. VPNs hide users’ Internet protocol (IP) addresses and offer different and higher versions of encryption to help enterprises with the safety escorts they require for all confidential and sensitive data.

Whether they tap Asynchronous Transfer Mode—ATM or Frame Relay technology of virtual circuits or IP and Multiprotocol Label Switching, VPNs have evolved over the last few years. With the need for stronger security in the enterprise realm and the rise of Cloud and Remote models, organisations have been putting their trust in these private tunnels for a good reason.

As Biswajeet Mahapatra, principal analyst at Forrester, encapsulates it from the onset, “VPNs are foundational tools for protecting remote access to corporate networks, enabling encrypted data transmission and shielding sensitive information from unauthorised interception. However, the rise in advanced threats like phishing, ransomware, and zero-day attacks has exposed vulnerabilities in traditional VPN setups, such as weak authentication, outdated encryption protocols, and susceptibility to credential theft.”

Huzefa Motiwala, Senior Director of technical solutions for India and SAARC at Palo Alto Networks, adds, that enterprise VPNs serve two key use cases: enabling secure remote access and ensuring safe site-to-site connectivity. “As crucial connectivity tools, they protect data in transit, protecting it from unauthorised access and reducing the risk of data breaches.”

Neehar Pathare, Managing Director and CEO of 63SATS, echoes that VPN helps prevent certain types of cyberattacks by enhancing online security and privacy. “A VPN offers comprehensive benefits by encrypting your data to safeguard sensitive information like bank details, ensuring high-level security and privacy. It prevents cyber criminals from intercepting data by rendering online communications unintelligible with 256-bit encryption,” he explains.

VPNs also stop ISPs from monitoring one’s activity, reducing data and bandwidth throttling for a seamless browsing experience. “By masking your IP address, VPNs grant access to geo-restricted content and business tools. They enable businesses to securely connect remote employees and run cloud-based applications, providing scalable and cost-effective network solutions. Additionally, cloud-integrated VPNs reduce IT support costs by simplifying secure network management,” Pathare adds.

Cloud—let us spend a minute on this word that has changed many security implications. Mahapatra observes how the shift to remote and hybrid work models has further heightened the stakes, expanding the attack surface and increasing the reliance on VPNs for secure access.

VPNs are high on attackers’ radar because of a crucial usage shift as well, as also underlined by Amit Patil, Senior Director of Technology – Cloud Capability Group Lead India, Publicis Sapient. “The dissolution of the traditional network perimeter means every remote employee’s connection has become a potential vulnerability.”

In today’s increasingly connected world, remote access is no longer a luxury but a necessity for many organisations, as rightly argued by Vivek Srivastava, Country Manager, India and SAARC at Fortinet: “This has led to the widespread adoption of VPNs to facilitate secure remote access. While VPNs are secure, they are architecturally limited to address modern security needs.

Also, consider that VPNs have no insight into the content they deliver, as Srivastava reminds us. “VPNs are used for remote access when working from hotels, coffee shops, or home. Because most home offices are connected to largely unsecured home networks, they have become a primary target for cybercriminals looking for an easily exploited access point into the network.”

He further adds that networks are now highly distributed. “Critical resources and applications are now spread across data centres, distributed branch and home offices, and multi-cloud environments. Most VPN solutions were not designed to manage this level of complexity. A single VPN connection forces backhauling all the traffic through a central concentrator for inspection, which is resource-intensive and lag-inducing. Split tunnelling can address this, but it creates its own set of challenges as traffic goes straight to the internet without going through a firewall.”

VPN: The New Cyber-Criminal Favourite?

Yes, VPNs have become prime targets for cybercriminals due to their critical role in securing remote access to enterprise networks, offering attackers a direct pathway into internal systems, affirms Mahapatra.

“The widespread adoption of VPNs, driven by remote and hybrid work, has increased opportunities for exploitation, while vulnerabilities in unpatched software, insecure configurations, and stolen credentials from phishing or brute-force attacks make them appealing targets.”

Saket Verma, Cybersecurity Leader, Kyndryl India, explains this further: “The vulnerabilities inherent in traditional security measures, including VPNs, are often exploited by cybercriminals to gain unauthorised access, move laterally within networks, and exfiltrate sensitive data.”

“If compromised, attackers can gain direct access to sensitive data and critical systems. Cybercriminals often use phishing campaigns to steal credentials or exploit zero-day vulnerabilities. Once inside the network, they may move laterally to deploy ransomware or exfiltrate data.” affirms Vikrant Sharma, IT Department Manager of SBM Offshore India.

Pathare emphasises that organisations remain vulnerable to cyberattacks exploiting VPN security flaws. “Poor security measures or human errors, such as mishandling encryption keys, can allow cybercriminals to gain unauthorised access. With these keys, attackers can decrypt user data, compromising privacy, even with a VPN in place.”

Ask Motiwala, and he reminds us of the Unit 42 Attack Surface Threat Report, which pointed out that over 25% of exposures involve critical IT and networking infrastructure, including VPNs. These infrastructures are vulnerable to opportunistic attacks due to weaknesses in application-layer protocols and internet-accessible administrative login pages. Remote access services and business applications account for over 23% of the attack surface.

“A growing concern is VPN poisoning, where attackers exploit split-tunnel configurations to intercept traffic switching between secure and unsecured channels.”- AMIT PATIL, Senior Director (Technology) – Cloud Capability Group Lead India, Publicis Sapient

“Cybercriminals increasingly exploit VPN weaknesses, including man-in-the-middle (MitM) attacks, where unauthorised actors intercept and manipulate communications between devices and VPN servers,” Motiwala says.

As highlighted in Kyndryl’s findings, while many organisations express confidence in their cybersecurity measures, Verma points out that many still face recurring disruptions due to inadequate protection mechanisms.

Vinod V Jayaprakash, Consulting Cybersecurity Leader, EY GDS also observes, “VPNs provide entry to sensitive systems and data, making them an appealing target for attackers. Unpatched software, outdated VPN solutions, or configuration errors can serve as vulnerabilities for exploitation.” Consider the recent surge in VPN-specific exploits: password spraying attacks, unpatched vulnerabilities in VPN appliances, and sophisticated MitM attacks targeting split- tunnel configurations.

Highlights Patil, “A particularly insidious trend we are tracking is the rise of ‘VPN poisoning’ attacks. Attackers exploit split-tunnel configurations, wherever they can intercept traffic when it switches between secure and unsecured channels.”

How to Fix this Moat?

Mahapatra suggests that modernising VPN security with MFA, endpoint verification, regular patching, and transitioning to zero-trust architectures is essential to mitigate these risks. “Enterprises must view VPN security not as a standalone solution but as a critical component of a broader, adaptive cybersecurity strategy.” He stresses that CIOs, CTOs, and decision-makers should invest in comprehensive cybersecurity frameworks, including endpoint protection, network monitoring, and zero-trust architecture, to mitigate risks.

“Hackers use advanced techniques, including AI-driven methods, to compromise user credentials and exploit weaknesses within VPN infrastructures.”- HARISH KUMAR GS, Head – Sales, India & South Asia, Check Point Software Technologies

“Regularly conducting audits and vulnerability assessments ensures proactive identification and remediation of potential threats. Leveraging AI-driven tools for threat detection and response can enhance protection against evolving cyberattacks,” Pathare suggests. He adds, “Complement VPNs with a Zero Trust framework to verify users and devices at every access point, ensuring enhanced security. Enterprises need to perform periodic penetration testing and vulnerability assessments to identify and mitigate weaknesses in your VPN infrastructure.”

Building cyber resilience should be a top priority, stresses Verma. “This means going beyond defence to ensure organisations can continue operations during and after a cyberattack.”

This attention is important as the risks are going to get more serious and wide-spanning, thanks to the arrival of Quantum in the mix. Patil contends that current VPN encryption protocols, especially those using older standards, may soon become vulnerable to quantum-based attacks. “We are already seeing the emergence of ‘harvest now, decrypt later’ attacks, where encrypted VPN traffic is captured and stored for future decryption.”

“VPNs accessing sensitive systems are prime targets, as unpatched software, outdated solutions, or misconfigurations leave them vulnerable to attacks.” VINOD V JAYAPRAKASH, Consulting Cybersecurity Leader, EY GDS

It is no longer adequate to think in terms of ‘inside’ versus ‘outside’ the network. Instead, he says, highlighting the dangers without mincing words, we must assume every connection is potentially compromised and design systems to mitigate risks accordingly.

With adoption and appetite showing signs of more growth in this space, it is imperative that trust and security are restored and strengthened. If we look at the global VPN market size, it was reckoned at USD 72.89 billion in 2024, rising to USD 88.96 billion in 2025 and expected to cross around USD 534.22 billion by 2034 (as per Precedence Research). Verified Market Research indicates that the enterprise VPN market can reach USD 151.77 billion by 2031 (growing from USD 48.50 billion in 2024).

Understandably, the industry—both vendors and enterprise users—would gain a lot from pulling up some socks here. Can we again accentuate ‘private’ in VPN without losing the ‘virtual’ in it?

By Pratima Harigunani

pratimah@cybermedia.co.in