—

The digital landscape is littered with technologies once hailed as revolutionary, now seen as relics. According to a sobering new report from cyber insurance firm At-Bay, the traditional on-premise VPN is rapidly heading for that list. The study, which analyzed over 100,000 policy years of data from approximately 40,000 American businesses between early 2024 and the first quarter of 2025, paints a grim and unequivocal picture: your company’s VPN is likely its single greatest point of ransomware risk.

The findings are not subtle. Organizations running on-premise VPN systems from industry giants Cisco and Citrix were found to be a staggering 6.8 times more likely to suffer a ransomware incident compared to businesses without them. This isn’t a minor statistical anomaly; it’s a five-alarm fire for any Chief Information Security Officer (CISO) who still relies on this decades-old architecture for remote access. The report confirms a fear that has been quietly growing in cybersecurity circles for years—that the “castle-and-moat” security model, where a strong perimeter protects a trusted internal network, is fundamentally broken in an age of remote work and sophisticated cybercrime.

A Rogue’s Gallery of Risk: The Data Doesn’t Lie

While Cisco and Citrix topped the list, the problem is endemic to the entire on-premise VPN market. The At-Bay analysis, which adjusted its figures to account for the market share and prevalence of each product, found other major players were also associated with a dramatically elevated risk profile.

Businesses using SonicWall VPNs were 5.8 times more likely to be hit by ransomware, a figure likely exacerbated by a 300% surge in attacks from the notorious Akira ransomware gang, which has shown a particular affinity for exploiting SonicWall vulnerabilities. The list continues with Palo Alto’s Global Protect (5.5 times the risk) and Fortinet (5.3 times the risk). The pattern is undeniable. The common denominator isn’t a single flawed product, but a flawed technological approach.

Broadening the lens, the report revealed that any business using an on-premise VPN, regardless of the vendor, was 3.7 times more likely to be victimized than a company using a modern cloud-based VPN or having no VPN infrastructure at all. This highlights the core issue: it’s the architecture itself that has become the liability. These devices, often physical appliances sitting in a data center, create a single, hardened target for attackers. Once they breach that perimeter, they often gain broad access to the internal network, making it a high-stakes, all-or-nothing proposition for defenders.

The Double-Edged Sword of Complexity

The defenders, it turns out, are fighting an uphill battle. Roman Itskovich, Chief Risk Officer at At-Bay, was careful to clarify that the issue isn’t necessarily a lack of quality in the products themselves. “We’re not suggesting these products are inherently insecure,” Itskovich explained. “On the contrary, they are incredibly powerful and feature-rich. But their strength is also their weakness. They are complex systems that demand constant, expert-level maintenance.”

This is the crux of the problem. A VPN appliance is not a “set it and forget it” device. It requires a dedicated cycle of patching, configuration management, and monitoring. “While many organizations have the expertise to deploy them securely on day one,” Itskovich continued, “far fewer have the sustained resources to maintain them properly over months and years. This operational gap leads directly to missed patches, outdated configurations, and security policies that drift out of compliance.”

The report’s data backs this up with frightening clarity: a full 80% of ransomware cases analyzed began with attackers gaining their initial foothold through remote access tools. Of those incidents, an overwhelming 83% involved the compromise of a VPN device. The VPN is, quite literally, the most common digital front door that hackers are kicking in.

A Tale of Two Technologies: The Old Guard vs. The New

To understand why on-premise VPNs are so vulnerable, it helps to compare them to their modern successors, primarily solutions falling under the umbrella of Secure Access Service Edge (SASE) and Zero Trust Network Access (ZTNA).

A traditional VPN operates like a bouncer at a club. Once you show your ID (credentials), you’re inside. You can roam freely and access almost anything. If an attacker steals a legitimate employee’s credentials or finds a single vulnerability in the VPN software, they too get inside with the same broad access. This creates a massive “blast radius”—a single breach can compromise the entire network.

Cloud-based ZTNA, in contrast, operates on the principle of “never trust, always verify.” It functions like a security system with guards at every single door inside the building. Access to each application or data resource is a separate, verified transaction. A user’s identity is continuously re-authenticated, and their device’s security posture is checked before access is granted to anything. This micro-segmentation means that even if an attacker compromises one set of credentials, they are firewalled off from moving laterally across the network. Their access is confined to a tiny, isolated sliver of the company’s resources, dramatically reducing the potential damage.

Itskovich summarized the architectural advantage succinctly: “The bottom line is that traditional on-premise VPNs are often too difficult for most companies to operate securely. Cloud-based SASE products, on the other hand, significantly reduce the organization’s exposure to direct attacks from the public internet compared to a traditional VPN appliance.”

Anatomy of a Modern Breach: From Vulnerability to Ransom

The path from an unpatched VPN to a full-blown ransomware crisis is a well-trodden one for cybercriminals. It typically begins with automated scanners that constantly probe the internet for corporate VPNs with known, unpatched vulnerabilities.

A prime example is the infamous “CitrixBleed” vulnerability (CVE-2023-4966) that emerged in late 2023. This critical flaw in Citrix NetScaler appliances allowed attackers to bypass password and even multi-factor authentication requirements, giving them the ability to hijack existing, legitimate user sessions. Thousands of organizations, including major corporations and government agencies, were left scrambling to patch their systems as ransomware groups like LockBit began exploiting the flaw en masse. This single vulnerability became a goldmine for cybercriminals, leading to a wave of devastating breaches.

The attack chain is brutally efficient:

1. Reconnaissance: Attackers identify a target organization and discover it uses a specific VPN product.
2. Exploitation: They exploit a known vulnerability (like CitrixBleed) or use stolen credentials acquired from phishing campaigns or dark web marketplaces.
3. Persistence & Elevation: Once inside, they establish a persistent foothold and work to escalate their privileges, often seeking domain administrator rights.
4. Lateral Movement: Using their newfound access, they move across the network, identifying critical servers, data repositories, and backup systems.
5. Execution: They disable security tools, exfiltrate sensitive data for double extortion, and finally, deploy the ransomware to encrypt the organization’s files, grinding business operations to a halt.

The Human Factor: Overwhelmed and Under-Resourced

The technical vulnerabilities are only half the story. The other half is the immense pressure on the IT and security teams tasked with defending these systems.

“We have a dozen critical systems, and the VPN is just one of them,” admitted a CISO for a mid-sized manufacturing firm, speaking on condition of anonymity. “Last year, there were three ’emergency, patch-now’ vulnerabilities for our firewall, two for our email server, and four for our VPN appliance. Each one requires downtime, testing, and a maintenance window, which is often in the middle of the night. It’s a relentless cycle. Is it possible to miss one? Absolutely. In fact, it’s almost inevitable.”

This “patching fatigue” is a real and dangerous phenomenon. Cybercriminals operate on machine time, developing exploits within hours of a vulnerability’s disclosure. Corporate IT teams operate on human time, constrained by budgets, staffing, and the need to not disrupt business operations. The legacy VPN model, with its manual updates and complex configurations, puts these teams at a permanent disadvantage in this asymmetrical fight.

Charting a New Course: The Migration to Zero Trust

The At-Bay report is more than just a warning; it’s a clear call to action for businesses to fundamentally rethink their remote access strategy. Simply trying harder to patch a broken model is no longer a viable strategy. The path forward lies in migrating away from the high-risk architecture of on-premise VPNs and toward a modern, Zero Trust framework.

Embracing a New Security Paradigm

Zero Trust isn’t a product you can buy, but a security philosophy that must be implemented. It inverts the old model. Instead of trusting everyone inside the network, it trusts no one by default. Every single access request—whether from an employee at home, a partner in another country, or a server in the next rack—must be explicitly authenticated and authorized. This approach dramatically shrinks the attack surface and contains breaches before they can become catastrophes.

Practical Steps for a Safer Future

For organizations looking to de-risk their remote access infrastructure, the journey can seem daunting, but it can be broken down into manageable steps:

1. Conduct a Full Audit: The first step is to gain complete visibility. Identify all remote access points into your network, especially “shadow IT” VPNs or remote desktop tools that may have been set up without official approval.
2. Aggressively Prioritize Patching: While the long-term goal is migration, the short-term reality is that existing VPNs must be secured. Treat VPN patching with the highest possible urgency, implementing a rapid response protocol for all critical vulnerabilities.
3. Mandate Multi-Factor Authentication (MFA): If you haven’t already, enforce phishing-resistant MFA across your entire VPN user base immediately. This single step can neutralize the threat of stolen credentials, one of the most common attack vectors.
4. Begin a Phased Migration to ZTNA/SASE: Identify a pilot group of users or a specific application and begin migrating them to a cloud-native ZTNA solution. This allows your team to build expertise and demonstrate the benefits before a full-scale rollout.
5. Segment Your Network: Even with a VPN, you can limit the damage of a breach by segmenting your internal network. Ensure that a user logging into the VPN doesn’t automatically have access to everything. Isolate critical systems and force re-authentication for access to sensitive data.

The era of the traditional VPN as the cornerstone of corporate security is drawing to a close. For years, it served its purpose, but the threat landscape has evolved beyond its capabilities. The data is now in, and the verdict is clear: clinging to this legacy technology is no longer a calculated risk—it’s an open invitation to disaster.

—

Source: https://www.techradar.com