Recent website and app bans in the U.S. and abroad have created a surge in personal VPN usage. However, that surge has also come with a rise in threat actors looking to exploit new personal VPN users.
From VPN hacks to successful social engineering attacks that impacted thousands of businesses and users, we have compiled everything you need to know about the threats of the new year, so far.
Ivanti VPN customers have experienced several vulnerabilities during the last year, the latest of which is a critical vulnerability that was exploited by an espionage group based in China, according to reports.
These critical vulnerabilities impact Ivanti’s Connect Secure VPN and were disclosed on January 8 by Ivanti as CVE-2025-0282 and CVE-2025-0283.
According to Ivanti, the critical vulnerabilities can be exploited in order to remotely execute code without authentication, while the high-severity flaw can be used to escalate privileges.
It is unknown how many businesses have been impacted by the vulnerability. However, U.K.-based domain registry provider Nominet has recently disclosed that they were impacted by the vulnerability.
Recommended reading: CrowdStrike Update Causes Global Microsoft Outages: What You Need to Know
Ivanti released an advisory stating that exploitation of CVE-2025-0282 can be identified by their recently released Integrity Checker Tool (ICT). They have also released a patch, Ivanti Connect Secure 22.7R2.5, and have encouraged all users to update their software immediately if no compromise is detected.
Ivanti advised that customers who have performed a test and found signs of compromise should complete a factory reset the VPN device before putting the appliance back online with version 22.7R2.5.
CISA provided the following guidance for all customers using Ivanti Connect Secure, Policy Secure, and ZTA Gateways:
On January 9, Venezuela banned over 20 VPN tools following a country-wide TikTok ban similar to the ban passed in the U.S., according to Venezuelan digital rights group Ve Sin Filtro.
According to Ve Sin Filtro, the following VPN providers have been impacted:
Although the VPNs impacted are primarily intended for personal use, there is still a chance that small businesses may be using them. If you are a business owner who relies on one of the impacted VPNs for secure remote access, OpenVPN may still be an option for you. You may also be able to use the openvpn2 open source protocol.
According to a report released in December, “over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports… Vulnerabilities affecting SonicWall SSL VPN devices were recently exploited by ransomware groups, including Fog ransomware and Akira, as they are an attractive target for gaining initial access to corporate networks.”
Additionally, SonicWall released a security advisory on January 22 regarding CVE-2025-23006 which states that the SonicWall PSIRT has been notified of possible active exploitation of the referenced vulnerability by threat actors.
In this vulnerability, the pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands. SonicWall Firewall and SMA 100 series products are not affected by this vulnerability.
SonicWall company strongly advises users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability.
OpenVPN recommends that all organizations continually monitor and apply security patches when available. We also recommend proactive security monitoring to ensure that potential anomalies and breaches are caught quickly.
On January 8, Google confirmed a recent backdoor malware threat, known as PLAYFULGHOST, that acts as a backdoor supporting commands including keylogging, screen capture, audio capture, and remote shell, file transfer, and file execution.
The malware, built on a remote trojan administration tool known as Ghost, has been observed to transfer through social engineering and SEO poisoning methodologies which “bundle” it with popular VPNs and other apps.
SEO poisoning refers to search engine optimization poisoning, meaning that the malware is placed high in search engine results using a variety of techniques that manipulate the Google algorithm. This is especially dangerous in light of the recent surge of VPN usage after the banning of popular websites and apps in the U.S.
The backdoor also shares functional overlaps with a known remote administration tool referred to as Gh0st RAT, which has been publicly studied since 2008.
According to recent reports, “PLAYFULGHOST's initial access pathways include the use of phishing emails bearing code of conduct-related lures or search engine optimization (SEO) poisoning techniques to distribute trojanized versions of legitimate VPN apps like LetsVPN.”
Phishing awareness and training can help mitigate the threat from backdoor malware that relies on social engineering tactics. It is important to investigate the URL, even if you have clicked a link from Google, before downloading any software. Additionally, only download VPN software from trusted sources and companies. All business VPN software downloads should be vetted through your company’s security team before proceeding.
Whether you’ve been impacted by the security vulnerabilities and threats or not, we have a few key steps to keep in mind:
For ultimate control of your network security, check out OpenVPN’s self-hosted Access Server. Try Access Server for free, and improve your security posture in under 20 minutes. Get started with free connections today.