Port Shadow VPN attacks: who's at risk and how to stay safe

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

A team of researchers is warning of a vulnerability affecting VPN platforms which could make users "less secure in specific situations."

What's been dubbed "Port Shadow" can allow attackers to act as a man-in-the-middle between you and the VPN server you're connected to. This potentially enables them to intercept and decrypt your VPN traffic, redirect your DNS request, and deanonymize your connection.

Before entering into panic mode, you should know that the best VPN services aren't vulnerable as they are precisely built to prevent third parties from exploiting this flaw. 

The new Port Shadow study builds on a 2021 research, in fact, meaning VPN developers were largely already aware of such a flaw. What's certain, though, is that the new paper shed yet another light on the importance of getting reputable VPN software.

The dangers of Port Shadow

As researchers explain in their paper, widely used VPN protocols (OpenVPN, WireGuard, OpenConnect) can be vulnerable to Port Shadow when they lack the right software infrastructure to prevent this flaw from being exploited. This virtually makes people using an ill-crafted VPN service actually less secure instead.

"Port Shadow attacks pose significant risks to user privacy," Karolis Kaciulis, Leading System Engineer at Surfshark, told me. "The primary threat is that malicious actors can intercept a user’s DNS requests and inject harmful DNS records in response. This manipulation allows attackers to redirect user traffic and could lead to further attacks."

This is because the Port Shadow flaw enables threat actors to target other users connected to the same VPN servers as they share a common port to establish the connection. 

Similarly when browsing a public Wi-Fi without the right protections in place, if the source port selection isn't randomized, it can ultimately enable third parties to snoop on your unencrypted data, scan your port entry, or even hijack your connection.

Despite how dangerous it all sounds, however, some VPN developers argue that exploiting this vulnerability isn't as easy in practice as it looks on paper.

"The attack vector is not very practical given it requires the attacker to know both the public IP address of the victim and the specific VPN server they are connected to," Samuele Kaplun, Ecosystem & VPN Lead at Proton VPN. "Given these requirements, we would be surprised if it was successfully exploited in the wild."

Lauren Hendry Parsons, ExpressVPN's spokesperson, shares a similar view. "Multiple preconditions would have to be met for anyone to be vulnerable to it," she said. "The way we assess it is that it’s essentially a lab-only attack: in theory, you could extend it to any basic VPN provider, but in reality, it's difficult to pull off, and it's not really clear what it gains you."  

How to protect against Port Shadow attacks

As mentioned earlier, the most reputable VPN providers have already built their software to successfully neutralize Port Shadow attacks. 

As the research paper reads: "We found that some VPN services operating over OpenVPN or WireGuard protocols are not susceptible to CVE-2021-3773, including NordVPN, ExpressVPN, and Surfshark." Alongside these services, also Proton confirmed to TechRadar that its VPN is not affected by it.

So, what are these VPN providers doing to protect you from Port Shadow attacks? And, most importantly, what can you do to boost your VPN security even more?

Using a reputable VPN 

The most secure VPN providers are built to ensure different entry and exit IP addresses. This aims, as Kaplun from Proton VPN explains, to prevent the creation of connection tracking among IPs, which is essential for carrying on the attack.

Commenting on this point, Parsons from Express said: "This is an industry best practice - it enhances user privacy by preventing websites or ISPs from tying activity to specific individuals."

Did you know?

VPN

(Image credit: Shutterstock)

A virtual private network (VPN) is security software that encrypts your internet connections to boost your online privacy by rerouting the data leaving your device into a secure encrypted tunnel. As you need to connect to one of its servers to use the service, a VPN also spoofs your real IP address allowing you to access otherwise geo-restricted content. 

Look out for a reliable kill switch 

A VPN kill switch is an additional layer of security to look out for as it's designed to protect your data from accidental exposure and leaks. Let's imagine your VPN connection drops, this advanced security feature will block your internet access until the connection to the VPN server is restored. 

The good news is that all the top-rated VPNs offer this tool, with our favorite NordVPN boasting two kill switches for doubling down on its protection. So, make sure to keep the kill switch option active at all times.

Get a Dedicated IP for extra safety

Considering that a shared IP is a key factor for being vulnerable to Port Shadow attacks, you could even completely cut off the problem directly from the source by getting a dedicated IP. As the name suggests, this indicates an address that only you will ever use - a security option offered by many providers generally for an extra fee.

It is worth reminding you that, while it can further mitigate the risk, a dedicated IP isn't strictly needed if you're using a trustworthy VPN. As NordVPN commented when I asked, "Our customers are safe regardless."

Disclaimer

We test and review VPN services in the context of legal recreational uses. For example:

1. Accessing a service from another country (subject to the terms and conditions of that service).

2. Protecting your online security and strengthening your online privacy when abroad.

We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

Chiara Castro
News Editor (Tech Software)

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life – wherever cybersecurity, markets, and politics tangle up. She writes news, interviews, and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar and TechRadar Pro. Got a story, tip-off, or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

Read more
best Secure VPN
Secure VPN providers 2025: safe options for the best security and encryption
An illustration of a mobile phone running a VPN
How does a VPN work?
VPN
7 VPN predictions to look out for in 2025
VPN server logo with foggy mountain in the middle
What is obfuscation? Everything you need to know about VPN obfuscation technology
An illustration of a laptop screen running a VPN service, accompanied by images of a padlock, globe, and a man using a tablet.
What are the benefits of using a VPN in 2025?
Outlook Calendar on a Tablet
What we learned from VPNs in 2024
Latest in VPN
A computer file surrounded by red laser beams
Cover your tracks: the risk of sending unencrypted files
Using an Amazon Fire Stick on a Smart TV
How to use a VPN with Fire Stick
Close up of PS5 DualSense controller leaning on a PS5
5 reasons your PS5 needs a VPN
Harry Halpin, CEO and co-founder of Nym Technologies, and Chelsea Manning, Nym Technlogies' security consultant, on stage at the Frontline Club in London during the NymVPN launch on March 13, 2025.
NymVPN is now live – here's everything you need to know
Tor
What is Onion over VPN?
Green background featuring laptop with connect button
I tried the "world's most secure VPN" and while it's not the VPN you'll want, you'll need it sooner than you think
Latest in News
an image of the Samsung Galaxy S24 Ultra
Finally! One UI 7 has a release date - here are the Samsung phones that’ll get it first
Google Cloud logo
Google to acquire cloud security platform Wiz in $32 billion deal
GIMP 3.0 interface from the website
Our favorite free photo editor finally got the update it deserves - and these are the top 5 features designers should know about
FCC filing for the Nothing CMF Buds 2 Plus
Nothing’s next-gen CMF cheap earbuds slated to arrive within the month, but don’t expect hi-res audio support
John Loeffler holding the Ryzen 7 7800X3D
Great news! The best gaming CPU ever made is finally available for it's original MSRP again
Garmin Instinct 3
A new Garmin study hints at the link between burning calories and happiness, and I've got good and bad news