What to do if you have a VPN vulnerability

Zach DeMeyer
April 30, 2024

If you’re like many recent VPN users, your VPN may have a disclosed vulnerability. In fact, 314 were reported from 2021-2023. These vulnerabilities pose a significant security threat that can lead to a breach if exploited, including data exfiltration, command injection, persistence, and more.

The time is now to take action because if your VPN does have a vulnerability, your organization is at risk. If you are concerned about VPN vulnerabilities in your organization, here’s our playbook for how you can use to address them.

1. Act quickly

VPN vulnerabilities and misconfigurations are not something to be taken lightly. The longer you expose your network to intrusion over a VPN, the more opportunities you are giving attackers to get into your organization. Of course, the severity of exposure depends on which resources are connected to the VPN. But, regardless, sophisticated attackers can turn the smallest opening into a full-scale incident.

Identify which connections are exposed and work to address them, tackling the greater risk connections first. It is also important to understand which ones are being used most frequently so you can fix them with minimal business interruption. You may also need to disconnect them before taking any other actions to further reduce your attack surface.  

2. Deploy patches

Ideally, your VPN supplier is aware of the vulnerability and has created a patch. If so, deploy the fix as soon as possible, both to your VPN servers and endpoints. Staying up to date on patches, especially vulnerability patches, is always in style.

Some trusted members of the cybersecurity community may release their own patches as well, but it’s generally best practice to wait for an officially developed one. And, of course, if there are no patches yet available, disconnect the VPN to prevent any intrusion while a patch is developed.

3. Initiate incident response

Depending on how long the vulnerability has been exploitable, your systems may have already been compromised. Kick off your incident response procedures, obtain all VPN access logs, and isolate any potentially infected systems. Use your SIEM or other observability solution to detect any signs of intrusion.

If you’re still unsure, reach out to a SOC-as-a-service solution to examine your systems and aid in response activities. It’s important to be as thorough as possible to ensure that an attacker hasn’t established a foothold within your environment

4. Enforce MFA  

If they don’t already, make sure your VPNs require multi-factor authentication (MFA). That way, even if an attacker were to attempt to breach one, they would have a significantly more difficult time than if your VPNs were only password protected.

In general, enforcing MFA everywhere is a sound best practice, but many end users dislike the friction it adds to the process. And, multiplied by the fact that users also dislike the frictions of VPNs, adding MFA to them may lead to more end user dissatisfaction. That said, however, given the security threat of vulnerable VPNs, the inconvenience is far outweighed by the potential risks. This dovetails well into the next step.

5. Inform users and stakeholders

Transparency is key in all things security, but especially so in situations where you need to take potentially drastic measures, such as VPN vulnerabilities. Warn end users who frequent the exploitable VPN connections, both to make them aware of the problem, but also your ongoing solutions. This is especially prevalent when you are either shutting down the VPN temporarily or pushing out patches to them and user devices.  

Also, take this time to alert them if you are adding MFA enforcement on VPN connections. That way, users are not caught off guard by the changes and are made aware of the role they play in keeping the company secure. Ongoing security awareness training also aids in this effort, and will generally help to reduce the amount of users foregoing VPNs and MFA for the sake of an easier experience.

6. Find an alternative

If you are still concerned about VPN vulnerabilities after following these steps, it may be time to seek out an alternative to VPNs altogether. Given VPNs’ exploitability and the general end user dislike for them, some organizations have opted to forego VPNs altogether for an alternative like Secure Access Service Edge, or SASE.

With SASE, you can create lightning-fast, identity-driven secure connections to remote resources without the need for VPNs and the headaches they can create. The always-on VPN alternative that SASE provides ensures that your internet traffic is obscured from bad actors, regardless of where your end users or their resources exist and operate.

To learn more about using SASE as a VPN alternative, read our eBook. In it, you’ll learn how SASE can replace VPNs altogether, and how to pick out the best SASE solution to fit your needs. Download your free copy now.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Threat breakdown: Remote access and credential dumping
5 key elements of effective MDR providers: Beyond just detection and response
Streamlining zero trust security with JumpCloud and Todyl

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.