Recent website and app bans in the U.S. and abroad have created a surge in personal VPN usage. However, that surge has also come with a rise in threat actors looking to exploit new personal VPN users.
From VPN hacks to successful social engineering attacks that impacted thousands of businesses and users, we have compiled everything you need to know about the threats of the new year, so far.
Hackers exploit Ivanti VPN vulnerability
Ivanti VPN customers have experienced several vulnerabilities during the last year, the latest of which is a critical vulnerability that was exploited by an espionage group based in China, according to reports.
These critical vulnerabilities impact Ivanti’s Connect Secure VPN and were disclosed on January 8 by Ivanti as CVE-2025-0282 and CVE-2025-0283.
According to Ivanti, the critical vulnerabilities can be exploited in order to remotely execute code without authentication, while the high-severity flaw can be used to escalate privileges.
It is unknown how many businesses have been impacted by the vulnerability. However, U.K.-based domain registry provider Nominet has recently disclosed that they were impacted by the vulnerability.
Recommended reading: CrowdStrike Update Causes Global Microsoft Outages: What You Need to Know
Security recommendations
Ivanti released an advisory stating that exploitation of CVE-2025-0282 can be identified by their recently released Integrity Checker Tool (ICT). They have also released a patch, Ivanti Connect Secure 22.7R2.5, and have encouraged all users to update their software immediately if no compromise is detected.
Ivanti advised that customers who have performed a test and found signs of compromise should complete a factory reset the VPN device before putting the appliance back online with version 22.7R2.5.
CISA provided the following guidance for all customers using Ivanti Connect Secure, Policy Secure, and ZTA Gateways:
- If compromise is found, report it to CISA and Ivanti immediately to start forensic investigation and incident response activities.
- Disconnect instances of affected Ivanti Connect Secure products.
- Isolate the systems from any enterprise resources to the greatest degree possible.
- Revoke and reissue any connected or exposed certificates, keys, and passwords to include the following:
- Reset the admin-enabled password.
- Reset stored application programming interface (API) keys.
- Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s).
- Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments.
- For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.
Venezuela bans 20+ popular VPN tools
On January 9, Venezuela banned over 20 VPN tools following a country-wide TikTok ban similar to the ban passed in the U.S., according to Venezuelan digital rights group Ve Sin Filtro.
According to Ve Sin Filtro, the following VPN providers have been impacted:
- Betternet
- Browsec
- CyberGhost VPN
- ExpressVPN
- Hola VPN
- Hotspot Shield
- IPVanish
- iTop VPN
- NordVPN
- PandaVPN Pro
- Proton VPN
- Psiphon
- PureVPN
- Speedify
- Surfshark
- TunnelBear VPN
- Urban VPN Proxy
- VPN Brave
- VPN Super Unlimited Proxy
- Windscribe
- ZoogVPN
Security recommendations
Although the VPNs impacted are primarily intended for personal use, there is still a chance that small businesses may be using them. If you are a business owner who relies on one of the impacted VPNs for secure remote access, OpenVPN may still be an option for you. You may also be able to use the openvpn2 open source protocol.
SonicWall VPN and firewall exposed to critical flaws
According to a report released in December, “over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports… Vulnerabilities affecting SonicWall SSL VPN devices were recently exploited by ransomware groups, including Fog ransomware and Akira, as they are an attractive target for gaining initial access to corporate networks.”
Additionally, SonicWall released a security advisory on January 22 regarding CVE-2025-23006 which states that the SonicWall PSIRT has been notified of possible active exploitation of the referenced vulnerability by threat actors.
In this vulnerability, the pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands. SonicWall Firewall and SMA 100 series products are not affected by this vulnerability.
Security recommendations
SonicWall company strongly advises users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability.
OpenVPN recommends that all organizations continually monitor and apply security patches when available. We also recommend proactive security monitoring to ensure that potential anomalies and breaches are caught quickly.
Backdoor malware VPN threat confirmed
On January 8, Google confirmed a recent backdoor malware threat, known as PLAYFULGHOST, that acts as a backdoor supporting commands including keylogging, screen capture, audio capture, and remote shell, file transfer, and file execution.
The malware, built on a remote trojan administration tool known as Ghost, has been observed to transfer through social engineering and SEO poisoning methodologies which “bundle” it with popular VPNs and other apps.
SEO poisoning refers to search engine optimization poisoning, meaning that the malware is placed high in search engine results using a variety of techniques that manipulate the Google algorithm. This is especially dangerous in light of the recent surge of VPN usage after the banning of popular websites and apps in the U.S.
The backdoor also shares functional overlaps with a known remote administration tool referred to as Gh0st RAT, which has been publicly studied since 2008.
According to recent reports, “PLAYFULGHOST's initial access pathways include the use of phishing emails bearing code of conduct-related lures or search engine optimization (SEO) poisoning techniques to distribute trojanized versions of legitimate VPN apps like LetsVPN.”
Security recommendations
Phishing awareness and training can help mitigate the threat from backdoor malware that relies on social engineering tactics. It is important to investigate the URL, even if you have clicked a link from Google, before downloading any software. Additionally, only download VPN software from trusted sources and companies. All business VPN software downloads should be vetted through your company’s security team before proceeding.
Steps to improve your cybersecurity
Whether you’ve been impacted by the security vulnerabilities and threats or not, we have a few key steps to keep in mind:
- Monitor for any and all security advisories from your security providers, SaaS applications, and other software vendors you may use.
- Review vendors' compliance information and monitor third-party audits for tools in your tech stack on a quarterly basis if possible.
- Utilize an Intrusion Detection System and Intrusion Prevention System, or IDS/IPS, to mitigate malicious traffic and suspicious activity.
Level up your network security with Access Server
For ultimate control of your network security, check out OpenVPN’s self-hosted Access Server. Try Access Server for free, and improve your security posture in under 20 minutes. Get started with free connections today.
