A new report from Zscaler ThreatLabz, in collaboration with Cybersecurity Insiders, reveals that more than half of organizations now view traditional VPNs as outdated and risky. According to the Zscaler ThreatLabz 2025 VPN Risk Report, 56% of IT and security professionals believe VPNs can no longer meet today’s security and compliance demands.
The report, based on a survey of over 600 professionals, outlines how vulnerabilities in VPNs are being exploited in ransomware attacks. These risks are pushing businesses toward adopting Zero Trust security models—a system that limits access and continuously verifies users and devices.
Key findings show that 92% of respondents are concerned about ransomware attacks using VPN flaws. Another 93% fear that third-party VPN connections could introduce backdoors into their systems. These fears are driving a rapid shift: 65% of companies plan to replace their VPNs within the next year, and 81% are either implementing or planning to implement Zero Trust strategies.
Traditional VPNs, originally built for secure remote access, are now seen as security liabilities. Once a user logs in, they often gain broad access to a company’s entire network. This setup increases the risk of data breaches, especially when access privileges are too broad or software is not regularly updated.
This approach clashes with the core idea behind Zero Trust: “never trust, always verify.” In addition to security concerns, VPNs are also criticized for causing slow performance, frequent disconnects, and complex upkeep.
The report highlights a sharp rise in VPN vulnerabilities. From 2020 to 2025, the number of known VPN-related security flaws (CVEs) grew by 82.5%. About 60% of recent vulnerabilities were rated high or critical. Among the most dangerous are Remote Code Execution (RCE) flaws, which allow attackers to run harmful code on targeted systems.
Another major concern is third-party access. VPNs often give outside contractors and vendors wide network access. If these connections are not carefully managed, attackers can break in using stolen credentials, misconfigurations, or unpatched systems. A recent breach at a financial services firm, traced back to a VPN flaw, exposed personal data from nearly 20,000 customers.
To combat these threats, more organizations are embracing Zero Trust. Some vendors are rebranding cloud-based VPNs as Zero Trust solutions, but the report warns that these still fall short of true Zero Trust standards.
Zscaler recommends a full Zero Trust approach, covering users, apps, and workloads. This model reduces attack surfaces, stops threats from spreading, protects data, and simplifies security operations. By verifying all activity continuously and limiting access based on need, organizations can replace outdated VPNs with a safer, smarter system.
“Cyber attackers are using AI to find vulnerabilities faster, automate password attacks, and launch advanced exploits,” said Deepen Desai, Chief Security Officer at Zscaler. “To stay ahead, companies must adopt Zero Trust everywhere. This strategy eliminates exposed systems like VPNs and significantly lowers the risk of a breach. It’s promising to see that 81% of businesses are planning to make this change in the next year.”
