A sweeping new industry survey finds that 92% of organizations now fear that unpatched or outdated VPNs will be exploited to deliver ransomware — a striking signal that enterprise trust in legacy remote-access solutions is crumbling (expect VPN-linked) . That concern, highlighted in Zscaler’s ThreatLabz 2025 VPN Risk Report and echoed across security analyses, is accelerating migrations to Zero-Trust Network Access (ZTNA) and cloud-native access models.
The statistics that matter
The headline number — 92% — comes from Zscaler’s ThreatLabz 2025 VPN Risk Report, which surveyed security professionals about attack surfaces and priorities. Alongside that finding, other data points underscore the urgency:
Many respondents reported real incidents linked to VPN holes, with some surveys noting that more than half of organizations observed security or compliance risks make traditional VPNs effectively obsolete.
Insurance and incident data show perimeter appliances (VPNs, firewalls) were a primary initial access vector for ransomware claims in 2024, responsible for roughly 58% of such cases in one industry analysis.
Those figures don’t just reflect fear — they reflect operational reality: legacy VPN appliances and misconfigured remote-access systems remain easy targets for attackers who want a foothold to move laterally and deploy ransomware. (TechRadar)
Why VPNs are seen as a ransomware vector
There are several concrete reasons enterprises flagged VPNs as high-risk:
Unpatched appliances and CVEs. Older, on-prem VPN devices from major vendors have suffered vulnerabilities and zero-days that attackers actively exploit. Recent incidents show that threat groups target exposed VPN endpoints to gain initial access.
Credential reuse and weak MFA adoption. Stolen or weak credentials, sometimes from third-party vendors, let attackers seize VPN access; lacking strict multi-factor authentication (MFA) makes these attacks easier.
Complexity and misconfiguration. Enterprise VPNs can be complex to maintain; misconfigurations, stale accounts, and permissive access rules leave attack paths open.
Security insurers and incident responders have flagged the same pattern: attackers exploit VPNs and remote access to bypass perimeter defenses, then escalate privileges and deploy ransomware — and the downstream cost is massive.
The industry response: Zero-Trust and cloud approaches
Faced with those risks, many organizations are shifting away from wide-open VPN architectures toward Zero-Trust Network Access (ZTNA), SASE (Secure Access Service Edge), and cloud-native remote-access solutions that verify every request, device posture, and user context before granting access.
Zscaler’s report found strong momentum behind this strategy: a majority of respondents are planning or already implementing Zero-Trust approaches to replace legacy VPNs, citing better access control, reduced lateral movement risk, and simplified patching windows.
At-Bay and other insurers’ analyses also reinforce the message: organizations using cloud-managed access or modern secure access controls face significantly lower ransomware exposure than those relying on aging on-prem VPN appliances. At-Bay’s InsurSec data shows on-prem VPN users were several times more likely to be targeted in observed incidents.
Expert perspective
Security leaders and researchers are blunt. Zscaler’s ThreatLabz authors warn that unpatched VPNs remain a favored initial access vector and urge rapid migration to micro-segmented, identity-centric access models. Meanwhile, industry practitioners note that moving to Zero-Trust is not just a technology swap — it requires governance, identity hardening, and continuous monitoring to be effective.
As one CISO-level practitioner paraphrased in coverage: migrating off legacy VPN appliances reduces the “attack surface that attackers love,” but organizations must also harden identity, enforce MFA, and adopt least-privilege access to realize the benefits.
Practical steps for organizations
If your org is concerned (and the data suggests you should be), a prioritized approach helps:
Inventory VPN endpoints and ensure immediate patching for known CVEs. Disable unused services.
Enforce strong MFA and credential hygiene for all remote access accounts; remove stale or unused accounts.
Segment networks and apply least privilege — limit VPN access to only necessary resources rather than broad network ranges.
Plan a staged Zero-Trust migration: adopt ZTNA or SASE where possible, and use cloud-managed secure access to reduce on-prem appliance complexity.
Test and validate: tabletop ransomware exercises, penetration testing, and continuous monitoring will reveal remaining exposure.
Conclusion
The 92% alarm bell is loud and clear: enterprises view outdated or unpatched VPNs as a prime ransomware risk. The right response combines immediate mitigation (patching, MFA, account cleanup) with a longer-term architectural shift toward Zero-Trust and cloud-native access models. For security teams, that means prioritizing identity, minimizing blast radius, and accelerating plans to make VPNs less central to remote access — or to retire them where possible. The payoff is lower ransomware risk and a more resilient access posture in an increasingly hostile threat environment.
Sources & further reading
Zscaler ThreatLabz 2025 VPN Risk Report — survey results and analysis. (Zscaler)
Zscaler press & coverage (global releases). (GlobeNewswire)
At-Bay / InsurSec analysis: VPN appliances and ransomware risk. (TechRadar)
Coalition Cyber Threat Index 2025 — ransomware initial vectors. (coalitioninc.com)
TechRadar / Arctic Wolf reporting on recent VPN targeting and zero-day exploitation. (TechRadar)
