[Part 1 of 2 – Based on an interview with Zscaler CSO Deepen Desai]
By Holger Schulze, Cybersecurity Insiders
The 2025 RSA Conference floor was buzzing earlier this month—every booth promising maximum security, every vendor claiming AI. But when I sat down with Deepen Desai in a quieter room to talk about secure access, he cut straight to the point:
“VPNs are exposed by design,” he said. “And anything exposed is exploitable.”
Desai is the Chief Security Officer at Zscaler. He leads ThreatLabz, one of the most recognized research teams in cloud security. His team had just released the 2025 VPN Risk Report, an unflinching assessment of how legacy remote access infrastructure is failing the modern enterprise.
The numbers alone signal a turning point:
- 65% of organizations plan to eliminate VPNs within 12 months
- 81% are moving toward a Zero Trust architecture
- 92% are concerned that unpatched VPNs will lead to ransomware attacks
But those numbers weren’t the headline. The real story was what Desai said next.
“The problem with VPNs isn’t misconfiguration. It’s that they work exactly as designed—by placing users on the network. That’s the flaw.”
From Access to Attack Surface – The Blast Radius Is the Network
For years, VPNs served as the default answer to remote access. They were familiar, deployable, and “secure enough.” But the world they were built for no longer exists. And in today’s hybrid work and cloud-first environment, that familiarity is dangerous as they create tunnels from users into internal environments: because once authenticated, VPNs grant network-level access.
“VPNs don’t connect you to an application,” Desai explained. “They put you on the network—and once you’re there, the entire routing table is fair game.”
Between 2020 and 2025, Zscaler ThreatLabz tracked over 400 CVEs tied to VPN appliances as reported by the MITRE CVE Program. In 2024 alone, 60% of new VPN vulnerabilities were rated high or critical. These flaws allowed attackers to bypass authentication, execute code remotely, or hijack sessions outright. And the adversaries aren’t waiting around.
And as Desai pointed out, attackers are often exploiting them faster than vendors can patch.
“We’ve seen ransomware groups reverse-engineer VPN vendor patches within hours of release,” he said. “They don’t need to wait for the next zero-day exploit. They just need to watch the update notes.”
Once inside, VPNs offer no built-in segmentation. No identity-aware access. No containment.
We’ve seen this play out repeatedly. In the past 24 months, attacks targeting Citrix, Pulse Secure, and Ivanti VPNs forced urgent patch cycles, major outages, and—in at least one case— U.S. federal agencies were ordered to physically disconnect appliances to prevent a breach.
“When a government agency tells you to unplug your VPN device,” Desai said, “that’s not a security advisory. That’s an obituary.”
The Breach Blueprint: Four Stages of Exploitation
What makes VPNs so dangerous today is not just that they’re reachable—it’s what they enable after compromise. Desai broke it down like a blueprint, because that’s exactly how attackers see it:
- Find an exposed VPN endpoint—scan the internet or query an LLM trained on CVE metadata.
- Compromise the device—via credentials, phishing, or a known exploit.
- Move laterally—because VPNs place you on the internal network with broad access.
- Exfiltrate or encrypt—steal data or detonate ransomware.
“If your device is compromised,” Desai warned, “the blast radius is everything your VPN can reach on the network. And with most VPNs, that’s a lot.”
AI Is Changing the Rules—and Breaking the Old Model
Desai also emphasized that attackers aren’t just adapting to old defenses. They’re automating past them.
“We’re already seeing threat actors use AI to scale reconnaissance,” he said. “They use GPT models to query CVE databases, plan attacks, and generate working exploits faster than most teams can patch.”
In this new era, attackers no longer need weeks of manual research. They can run 1,000 automated scans, find the exposed systems, and strike—at scale.
“They don’t care about an 80% failure rate,” Desai added. “If 20 out of 100 attacks succeed, they win. But we can’t operate that way. We have to defend everything.”
And while defenders have AI too—risk scoring, anomaly detection, automated policy generation—Desai made it clear that defensive AI only works when the architecture is simplified.
“Use AI to fight AI,” he said. “But don’t rely on AI to clean up after a broken access model. You need Zero Trust first—because if your infrastructure is reachable, you’ve already lost.”
This is where Zero Trust does more than reduce risk. It removes visibility. It denies entry. It breaks the attacker’s playbook before they press ‘Enter.’
The Quiet Cost: Normalized Fragility, Institutional Risk
Desai’s view isn’t just about external threats. He pointed to what he called the “quiet failure” of VPNs: the day-to-day cost they impose on IT, security, and end users.
“We’ve normalized the fragility,” he told me. “Dropped sessions, sluggish performance, endless helpdesk tickets—it’s all seen as just the price of remote work. But it doesn’t have to be that way.”
According to the VPN risk report:
- 54% of teams say VPNs are a recurring source of outages or support escalations
- 41% call VPN maintenance a major drain on internal resources
- 51% of users report degraded application performance
- 23% say slowdowns directly impact their productivity
The problem isn’t just the VPN tunnel. It’s the architecture around it—one that demands constant patching, exposes public IPs, and assumes any authenticated user is trustworthy enough to be on the network.
“Security teams are stuck patching appliances,” Desai said. “Helpdesk teams are buried in tickets. Meanwhile, attackers are using AI to scale recon. It’s not a fair fight.”
Inheriting Risk: Third-Party and M&A Exposure
There’s another failure mode that Desai considers just as dangerous—and far less visible: VPNs as backdoors for third-party risk.
“If your contractors connect over VPN, you’re not just exposing your apps,” he said. “You’re inheriting whatever vulnerabilities exist in their environments.”
In one 2024 incident cited in the report, a financial services firm suffered a breach after attackers exploited a third-party VPN connection, exposing data from nearly 20,000 clients.
And the risk is amplified during mergers and acquisitions.
“Attackers monitor the news,” Desai said. “When an acquisition is announced, they target the smaller company. It’s lean, underprotected, and usually connected by VPN to the parent. That’s the bridge—and no one’s watching it.”
What Happens When the VPN Is Gone
So what does life after VPN actually look like?
Desai offered a clear example: ManpowerGroup, a global enterprise with over 30,000 users, fully transitioned from traditional VPN to Zscaler Private Access (ZPA)—in just 18 days.
The impact wasn’t just faster logins or simplified administration. It was architectural.
- No exposed IP addresses
- No lateral network access
- 97% reduction in helpdesk tickets related to remote access
- Application access based on identity and policy—not network level routing
“When you eliminate the idea of being ‘on the network,’” Desai said, “you eliminate the attacker’s playground.”
Coming Next: The End of VPNs —Beyond the Buzz of Zero Trust
In Part 2 of this series, we’ll go deeper into how Zero Trust replaces VPNs—not just in branding, but in architecture. We’ll walk through how Zscaler applies Zero Trust in practice, why identity—not subnet—is the new perimeter, and how organizations are using app-segmentation and deception to stop lateral movement before it starts.
Because the future of secure access isn’t about building safer tunnels. It’s about removing the need for VPN tunnels altogether.
Ad
Join our LinkedIn group Information Security Community!
