VPN Vulnerabilities: Why the VPN You Choose Is as Important as Using One at All
By Krista Lyons
TL;DR: Eight popular commercial VPN applications have hidden their ownership and operations practices, putting more than 700 million users at risk of authoritarian surveillance. Here's what that means for you.
Eight popular commercial VPN applications have hidden their ownership and operations practices, putting more than 700 million users at risk of authoritarian surveillance. That's not a hypothetical scenario — it's the central finding from research conducted by the Open Technology Fund (OTF) and the Internet Citizens' Rights Project (ICRP), which examined transparency and accountability across the commercial VPN ecosystem.
We often see news of VPN vulnerabilities, and certainly many are noteworthy. But, the conventional framing of VPN vulnerabilities focuses on technical exploits like unpatched CVEs, weak protocols, misconfigured servers. Those are real risks, and later in the article we will certainly address them. However, the OTF research points to a threat that receives far less coverage: the VPN provider itself.
Choosing the wrong VPN can be worse than using no VPN at all. If the company running your VPN is opaque about its ownership, subject to foreign government data requests, or logging your traffic in their company databases, you haven't added a security layer. You've added a liability.
What Are VPN Vulnerabilities? (And Why the Definition Is Broader Than You Think)
VPN vulnerabilities are security weaknesses that can compromise the confidentiality, integrity, or availability of traffic routed through a virtual private network.
Before we dive in, it’s important to note that Common Vulnerabilities and Exposures (CVE) are a standardized, publicly available list of known cybersecurity vulnerabilities in software and hardware, maintained by the MITRE Corporation. They fall into two distinct categories: (1) technical vulnerabilities — unpatched CVEs, weak encryption protocols, DNS and IP leaks, and exposure to man-in-the-middle attacks; and (2) structural vulnerabilities — opaque ownership, undisclosed data logging, jurisdiction-based legal exposure, and the absence of independent security audits.
Most public coverage focuses on category one. The CISA Known Exploited Vulnerabilities Catalog maintains an active and growing list of VPN-related CVEs and has issued emergency directives requiring federal agencies to patch VPN appliances from Ivanti, Fortinet, and SonicWall. For a detailed look at specific CVEs, our roundup of widely exploited VPN vulnerabilities in early 2024 covers critical flaws in Ivanti Connect Secure, Ivanti Policy Secure Gateways, and Citrix NetScaler ADC and Gateway.
Category two gets far less attention. For businesses evaluating VPN providers, structural vulnerabilities represent a supply chain security risk, not merely a personal privacy concern. Both categories require evaluation before you trust any VPN with your organization's traffic.
What are the 4 types of vulnerabilities? Security frameworks typically classify vulnerabilities as: (1) technical/software flaws such as CVEs and coding errors; (2) configuration weaknesses such as misconfigured servers and default credentials; (3) operational failures such as unpatched systems and weak authentication practices; and (4) supply chain risks, including compromised vendors and opaque ownership structures. All four apply directly to VPN infrastructure.
Part I: The Three Types of VPN — and Why the Distinction Matters for Security
According to Maximize Market Research, the global VPN market was valued at $48.7 billion in 2023 and is projected to reach nearly $150 billion by 2030, growing at a 17.4% compound annual growth rate. Market growth, however, has significantly outpaced provider accountability.
The term "VPN" describes three fundamentally different categories of product, each carrying a different risk profile. Conflating them is one of the most common mistakes organizations make when assessing VPN security risks.
According to VPNpro's Hidden VPN Owners research, 97 VPN services trace back to just 23 parent companies. Ownership concentration at that scale is a systemic risk factor. Users who believe they're comparing independent providers are often selecting products from the same opaque corporate group.
Understanding how remote access VPNs differ from personal consumer VPNs — and how both differ from site-to-site VPN configurations — is the prerequisite for any serious security evaluation. Here's the framework.
Consumer VPNs: Convenient, But Who's Actually Running Them?
Consumer VPNs are the app-store category: TurboVPN, ExpressVPN, Mullvad, and hundreds of similar offerings. This is what most people picture when they hear the word "VPN." The install-and-forget simplicity is central to the appeal.
The core security risk is visibility — or its absence. According to OTF and ICRP research, many VPN providers deliberately obscure their ownership structures, making it impossible for users to assess trustworthiness before installing. Free VPNs are disproportionately likely to have these transparency problems. In the free-product model, the user's traffic — not the VPN subscription — is effectively the revenue model.
For businesses, the implications extend well beyond personal privacy. A consumer VPN installed on a company device routes corporate traffic through infrastructure controlled by an unknown third party. Eight popular commercial VPN apps operate deceptively and put more than 700 million users at risk of authoritarian surveillance, per OTF/ICRP — and none of those users knowingly consented to that arrangement.
Commercial Business VPN Services: Better Accountability, But Still a Shared Infrastructure
Commercial business VPN services are managed, subscription-based offerings designed for organizations rather than individuals. Managed VPN-as-a-service products like CloudConnexa fall into this category. These services typically provide better transparency than consumer VPNs, with published SLAs, enterprise-grade authentication options, and clearer data handling policies.
The tradeoff is that your organization still trusts a third party's infrastructure. In some case, larger reputable enterprise VPN appliance vendors have suffered significant CVE exploitation. According to Palo Alto Networks Unit 42, chained vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure enabled unauthenticated remote code execution — exploited in three distinct attack waves affecting thousands of enterprise devices globally.
For details on additional vendor incidents, see our posts covering recent SonicWall and Fortinet VPN compromises and large-scale brute force attacks targeting VPN and SSH services in 2024. These incidents confirm that commercial VPN appliances from established enterprise vendors are active targets for sophisticated threat actors.
Private/Self-Hosted VPNs: Maximum Control, Maximum Responsibility
Private/self-hosted VPNs are deployments where the organization installs and operates the VPN server on its own infrastructure. OpenVPN Access Server and the OpenVPN Community Edition are the most widely deployed examples.
The primary advantage is control over both sides of the connection. Corporate traffic never transits a third-party provider's servers. Your organization sets its own logging policy, selects its own authentication stack, and manages its own patching and hardening posture. For organizations with specific compliance requirements, that level of control is often non-negotiable.
Running your own VPN also comes with responsibilities that shouldn't be underestimated. You own the patching cycle, the configuration management, and the incident response. For organizations without dedicated IT staff, that overhead is a real constraint. See the detailed comparison of OpenVPN Community Edition vs. Access Server and the OpenVPN security hardening documentation to understand what self-hosting actually requires before committing to the approach.
VPN Type Comparison Table: Consumer vs. Commercial vs. Private
|
Criterion |
Consumer VPN |
Commercial Business VPN |
Private/Self-Hosted VPN |
|
Ownership transparency |
Often deliberately obscured |
Generally disclosed; varies by vendor |
Full visibility — your organization owns it |
|
Data logging risk |
High for free VPNs; variable for paid |
Defined by provider policy and SLA |
Controlled entirely by your organization |
|
Independent audit availability |
Rare and inconsistent |
Available from established vendors |
Requires your initiative or third-party engagement |
|
Infrastructure control |
None |
Partial — shared provider infrastructure |
Complete |
|
Authentication options |
Basic (password or app-based MFA) |
Enterprise-grade: MFA, SSO, LDAP, RADIUS |
Full stack: LDAP, RADIUS, SAML, TOTP, certificates |
|
Typical use case |
Personal privacy, geo-restriction |
Business remote access, SMBs |
Enterprise, compliance-driven, high-control environments |
|
Example providers |
ExpressVPN, TurboVPN, Mullvad |
CloudConnexa, managed enterprise VPN services |
Access Server, OpenVPN Community Edition |
You can compare OpenVPN Access Server and Community Edition side by side to determine which self-hosted option fits your organization's size and IT capacity.
Of note: OpenVPN Inc. is not the owner of the OpenVPN open source project, but has a stewardship role. OpenVPN Inc. is a privately owned company.
Good to Know: Router-bundled VPNs — included as a feature with ISP equipment or consumer networking hardware — represent an informal fourth category. They typically carry the same ownership opacity risks as consumer VPNs, with the added problem that the VPN capability is tied to a hardware lifecycle and rarely receives dedicated security maintenance or CVE patching.
Part II: Why VPN Provider Ownership and Transparency Are Security Issues, Not Just Privacy Issues
VPN provider opacity is a supply chain security risk for any organization that relies on VPN infrastructure. If you cannot determine who operates your VPN, you cannot assess whether they're subject to foreign government data requests, whether they log traffic that could be subpoenaed, or whether their infrastructure has been compromised at a level that wouldn't generate a public CVE disclosure.
The concentration data from VPNpro makes this concrete: 97 VPN services trace to just 23 parent companies, many operating across multiple jurisdictions. Combined with the OTF finding that developer identity is often deliberately anonymized, the picture is one of systemic opacity across the market — not isolated exceptions.
The nation-state dimension amplifies the risk further. According to Fortinet PSIRT, CVE-2023-27997 — a heap-based buffer overflow in FortiOS SSL VPN — was exploited by Chinese state-sponsored threat actor Volt Typhoon using living-off-the-land techniques. Commercial VPN appliances are active nation-state targets, and the organizations running them aren't always aware until after the damage is done.
Is NordVPN owned by Russia? NordVPN is operated by Nord Security, a company incorporated in Panama with its development team based in Lithuania. It is not Russian-owned. The question persists precisely because VPN ownership is genuinely opaque across the industry — and the OTF research shows that many providers cannot answer a similar question clearly.
What Questions Should You Ask Before Trusting a VPN Provider?
Apply this checklist before deploying any VPN solution in a business context. It covers both technical VPN security flaws and the structural risks that most evaluations miss.
- Who owns and operates this VPN, and is that information publicly disclosed? If uncovering corporate ownership requires investigative research, treat that opacity as a warning signal.
- Where is the company incorporated, and under what legal jurisdiction does it operate? Companies in jurisdictions with mandatory data retention laws or weak rule-of-law protections carry elevated legal exposure for your organization's traffic.
- Does the provider publish a transparency report? Transparency reports document government data requests received and fulfilled. Their absence doesn't prove wrongdoing, but their presence is a meaningful accountability signal.
- Has the software been independently audited, and are audit results publicly available? Claims about security posture are not equivalent to verified security posture.
- What is the logging policy, and has it been independently verified? Many providers claim no-log policies that are contradicted by their own terms of service or have never been tested in practice.
- What authentication methods are supported? A business VPN that doesn't support multi-factor authentication (MFA), LDAP, or SAML SSO doesn't meet current enterprise security standards.
- Is the underlying VPN protocol open-source and independently auditable? Proprietary protocols cannot be externally verified — a meaningful disadvantage for organizations with compliance or regulatory requirements.
- Is there a published security advisory history? A provider with no published CVEs isn't necessarily more secure. They may simply be less transparent. Review OpenVPN's publicly documented security advisories as a reference for what a responsible public advisory history looks like.
- What is the patching and incident response process, and how quickly are critical vulnerabilities addressed? The CISA Known Exploited Vulnerabilities Catalog documents how quickly threat actors move once CVEs are disclosed — provider response time is a material security factor.
Part III: What a Trustworthy Business VPN Actually Looks Like
The checklist above describes the criteria. This section describes what meeting those criteria looks like in practice.
The foundational trust argument for OpenVPN starts with the protocol itself. The OpenVPN protocol is open-source, publicly auditable, and has been reviewed by independent security researchers for over two decades. When vulnerabilities are discovered — as with the TunnelCrack vulnerability set, which documented LocalNet and ServerIP attacks on VPN clients — they are disclosed publicly and mitigations are documented transparently. That's what a responsible public audit trail looks like.
Access Server is trusted by more than 20,000 organizations and is rated the #1 Business VPN on G2 by more than 400 verified reviewers. Access Server holds SOC 2 Type 2 certification, an independently audited security controls standard that provides external verification of the controls organizations depend on.
On authentication, OpenVPN Access Server supports local authentication, PAM, LDAP, RADIUS, SAML SSO, TOTP MFA, and certificate-based authentication. The full list of authentication options available in Access Server covers configuration details for each method. For organizations evaluating OpenVPN against incumbent enterprise appliance vendors, the OpenVPN vs. Fortinet comparison addresses total cost of ownership and deployment complexity directly.
Self-Hosted vs. Managed: Which OpenVPN Deployment Is Right for Your Organization?
Access Server is the self-hosted option. Your organization installs and manages the VPN server on your own infrastructure — physical, virtual, or cloud-hosted. You own the data, the configuration, and the patching cycle. It's the right fit for organizations with IT staff who can manage operational requirements and who need full infrastructure control for compliance or policy reasons.
CloudConnexa is the fully managed VPN-as-a-service option. OpenVPN operates the infrastructure; your team manages users and access policies through a web-based interface. No server maintenance, no patching overhead, and enterprise-grade security without requiring dedicated VPN expertise on staff, making it a great fit for SMBs and lean IT teams.
Organizations currently running SonicWall SMA 100 Series appliances should note that those devices reach end-of-life on October 31, 2025. The guide to migrating from SonicWall to Access Server covers the transition process in detail.
Ready to evaluate both options with no upfront commitment? Access Server supports up to 2 simultaneous connections free — no credit card required. CloudConnexa also offers a free tier for initial evaluation. Start with the deployment model that fits your team size and IT capacity, and scale from there.
Key Takeaways: 5 Things to Know About VPN Vulnerabilities and Provider Trust
- VPN vulnerabilities are both technical and structural. CVEs in VPN appliances are well-documented, but structural vulnerabilities — opaque ownership, unverified logging policies, jurisdiction exposure — are equally significant and receive far less scrutiny. Evaluate both categories before deploying any VPN.
- Consumer VPNs, commercial business VPNs, and private/self-hosted VPNs carry fundamentally different risk profiles. They are not interchangeable, and the right choice depends on your organization's control requirements, IT capacity, and compliance obligations.
- The VPN market is more concentrated than it appears. 97 VPN services trace to just 23 parent companies. Users selecting "different" VPN products are frequently choosing offerings from the same opaque corporate group — often without knowing it.
- For businesses, VPN provider opacity is a supply chain security risk, not a personal privacy preference. If you cannot determine who owns and operates your VPN provider, you cannot meaningfully assess your legal, operational, or security exposure.
- Self-hosting your VPN — or choosing a provider with a public audit trail and an open-source protocol — is the highest-trust option available. Open-source protocols can be independently verified. Public CVE histories, transparency reports, and SOC 2 certifications demonstrate accountability that no-log claims alone cannot provide.
Frequently Asked Questions About VPN Vulnerabilities
What makes a VPN vulnerable to attack?
VPN vulnerabilities fall into two categories. Technical vulnerabilities include unpatched CVEs, weak or deprecated encryption protocols, DNS and IP leaks, and exposure to man-in-the-middle attacks. Structural vulnerabilities include opaque ownership, undisclosed data logging, the absence of independent audits, and jurisdiction-based legal exposure. Both categories require evaluation when selecting a VPN for business use.
Who owns the most popular free VPN apps?
According to VPNpro's research, 97 VPN services trace to just 23 parent companies, many of which obscure their corporate structure. The OTF and ICRP research found that many free VPN providers deliberately anonymize their development teams and ownership to prevent users from assessing trustworthiness. Free VPNs that are not open source are disproportionately likely to have serious transparency problems.
What is the difference between a consumer VPN and a business VPN?
Consumer VPNs such as ExpressVPN, TurboVPN, and Mullvad are app-store products primarily designed for personal use. They offer limited visibility into ownership and logging practices. Business VPNs such as Access Server or CloudConnexa provide enterprise authentication (MFA, LDAP, SAML), independently audited security controls, SLAs, and data handling policies suited to organizational compliance requirements.
Is a self-hosted VPN more secure than a commercial VPN service?
A self-hosted VPN can offer a higher level of control — your traffic doesn't transit a third-party provider's infrastructure, and your organization defines its own logging, authentication, and patching policies. Whether that translates to better security depends on your team's capacity to maintain it. A well-maintained self-hosted deployment is generally the highest-trust option available; a neglected one can introduce significant vulnerabilities in remote-access VPNs that a managed service would handle automatically.
How do I know if my VPN provider logs my data?
Review the provider's privacy policy and terms of service carefully — claimed "no-log" policies are sometimes contradicted by the fine print. Look for independent audits that have verified the logging policy in practice, not just in the provider's own documentation. Providers that have never subjected their no-log claims to third-party verification offer no meaningful assurance. Ask specifically whether audit results are publicly available and how recent they are.
What should businesses look for in a trustworthy VPN?
A trustworthy business VPN should have: publicly disclosed ownership and corporate structure; an independently verified logging policy; support for MFA and enterprise authentication protocols including LDAP, RADIUS, and SAML; an open-source or independently audited protocol; a public security advisory history; SOC 2 or equivalent certification; and a documented, responsive CVE patching process. Evaluate prospective providers against all nine questions in the checklist in Part II above.
Can the FBI see through VPNs?
Law enforcement agencies, including the FBI, can compel VPN providers to produce logs if those logs exist and the provider operates in a cooperating jurisdiction. A VPN with a verified no-log policy — one confirmed by independent audit or tested through legal proceedings — provides stronger protection than an unverified claim. The VPN protocol itself does not grant immunity from legal data requests directed at the provider.
Is using a VPN illegal in the US?
Using a VPN is legal in the United States. VPN use may be restricted or prohibited in other countries, including Russia, China, and Iran. Within the US, a VPN can help protect traffic in transit, but it doesn't alter the legality of the activity being conducted over it or exempt users from applicable laws.
Is NordVPN owned by Russia?
NordVPN is operated by Nord Security, incorporated in Panama with development based in Lithuania — not Russia. The question persists because VPN ownership is genuinely opaque across the industry, and the OTF research confirms that users are right to ask it.
Ready to see how OpenVPN can help protect your organization from attacks?
Try the self-hosted Access Server solution or managed CloudConnexa service for free — no credit card required.
See Which One is Right for You