VPN vulnerabilities: what do they really mean and should you be worried?

Woman's hand hovering over a laptop in black and white
(Image credit: Unsplash / Sergey Zolkin)

The very best VPNs establish a secure encrypted connection between devices over networks allowing companies and organizations to share resources securely. They were originally intended to allow employees to “dial home” to their corporate mainframe but these days are also often used to access geo-specific services or protect people’s online privacy. You can find out more in our guide What is a VPN?

It’s easy to have a false sense of security from using a VPN, given that they use advanced encryption. Still not all VPNs are created equal, especially some of the less-than-stellar free VPNs, so may have security vulnerabilities in their setup and implementation. You also need to have a clear idea of the limitations of what a VPN can and can’t do. 

Rogue users 

Using a VPN alone won’t always protect your systems from hackers. Naturally someone monitoring your connection won’t be able to decipher encrypted information sent over a secure VPN tunnel. Still, this won’t protect you from someone already connected to the virtual private network.

This is a particular concern if you have a large network as by default VPNs follow an “all or nothing model”. Everyone connected can access all network resources and exploit them. You can reduce this risk somewhat by implementing a “zero trust network access”, which can limit access to certain parts of your network just to those who truly need it.

Unprotected connections 

Once a secure, encrypted connection is established across your VPN, attackers will find it almost impossible to read anything meaningful from monitoring your data traffic. But what if something goes wrong at the start?

If the initial connection between your VPN client and server fails, or drops out during use then by default many devices revert back to your former unencrypted connection. If users don’t spot this in time, their data could be at risk.

Fortunately, some providers offer a VPN kill-switch that monitors when this happens. When it occurs, it simply shuts down all network access until the secure connection is established again. You can check with your VPN provider to see if they offer this service. Even if they do, it’s worth testing it whilst accessing some unimportant data to make sure it’s up to scratch. 

Protocols and patching 

VPNs used IPsec protocols to send and receive encrypted data. With time, VPNs shifted to using SSL/TLS to secure connections. SSL and TLS are supported natively by servers and web browsers through implementations like the OpenSSL library, making VPN products much easier to create and set up. 

However, SSL and TLS can be exploited. Worse still, some of these weaknesses have carried through to VPNs that use them, particularly ones where hackers can gain access to authentication credentials like the private keys used to secure VPNs.

In 2019, researchers at the Black Hat Security conference gave a presentation on how hundreds of such vulnerabilities had been discovered in SSL VPNs along with a demonstration of how to “jailbreak” such networks. 

Unlike normal software products, it’s also not easy to install “patches” to fix such vulnerabilities, as doing so would involve shutting down the entire VPN. This would leave user data at risk.

DNS leaks 

Assuming that a user wants to use a VPN for privacy reasons, DNS leakage is a serious worry.

DNS acts as a virtual telephone directory for the internet, translating the web addresses you type into your browser into machine readable IP (Internet Protocol) IP addresses

All VPN services will establish an encrypted connection between the client and server if set up correctly. However, if the DNS ‘requests’ you make are also not managed by the VPN, then a bad actor may be able to find out which sites you visit. This is known as a DNS leak.

This can occur because your VPN service has left the default DNS servers offered by your ISP in place rather than requiring your device to use their own. But some VPN providers understand how vulnerable this can make your devices and forward all DNS requests to their own servers.  

Malware and phishing 

While VPNs can establish encoded connections between your devices in themselves they can’t do much to protect you from malware or phishing attacks.

In simplest terms, this means if you or anyone connected to your VPN download malware to their device and run it, your device will be affected in the same way as one that didn’t use a VPN. 

Similarly, should a user click on a phishing link and enter sensitive data, a VPN won’t help keep this data safe. You can reduce the risk of this happening by improving all-round security: make sure your antivirus software is up to date and install malware removal software and ad blockers.  

Protect against VPN weaknesses

VPNs are not a one-stop security and privacy solution. They need to be properly set up and maintained. You also need to be aware who else is connecting to them. 

If you feel the level of trust you have to give to these people is too great, you may prefer to move to a centralized cloud-based model for people in your organization - especially if you’re still running legacy VPNs, putting you at risk. This will allow you greater control over what resources they access.

If you’re simply accessing a VPN for personal use, choose a reputable provider who regularly conducts VPN audits to protect against weaknesses like these.  

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.

Read more
An illustration of a mobile phone running a VPN
How does a VPN work?
An illustration of a laptop screen running a VPN service, accompanied by images of a padlock, globe, and a man using a tablet.
What are the benefits of using a VPN in 2025?
Illustration of the word VPN on a circuit board
What is a VPN? VPN meaning explained in 2025
best Secure VPN
Secure VPN providers 2025: safe options for the best security and encryption
Someone using a VPN on a PC.
How to buy a VPN – a jargon-free guide
Käyttäjä yhdistää VPN-palvelimeen
Want to make your own VPN? It's trickier than you think
Latest in VPN Privacy & Security
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still a stellar option for streaming
 In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still the best free VPN for streaming
Homepage of CloudFlare website on the display of PC, url - CloudFlare.com.
"Network blocking is never going to be the solution" – Cloudflare slams anti-piracy tactics
Panels at RightsCon 2025 during a press briefing about the latest Access Now report of internet shutdowns
2024 was the worst year on record for internet freedoms – again
Vector illustration of the word Censored in a glitch distorted style
Google, Apple, and internet restriction – how Big Tech is making censorship "much worse" according to experts
Latest in Features
The Deepal EO7 from the side, an SUV and pick-up truck combo
I drove an electric SUV that transforms into a pick-up, and it’s as fun as it is functional
Willem Dafoe in Mississippi Burning
5 great free movies to stream on Tubi, Pluto TV, Plex and more this week (March 10)
Pictory
What is Pictory: Everything we know about this business-focussed AI video generator
Indy the Dog sitting in front of the TV
South by Southwest has given me 4 new horror movies to look forward to, including one from a dog's perspective
Paul Rudd on the ground looking up at a unicorn, whose legs are visible
I've added 5 new movies and TV shows to my watchlist after they premiered at South by Southwest 2025
A toy Amazon Echo next to the Alexa Plus logo and a range of Echo devices
What is Alexa+: Amazon’s next-generation assistant is powered by generative-AI