VPN Vendor Disparity Report

In this report, JUMPSEC will provide security-focused analysis of edge device solutions for buyers and users. While business-centred evaluations do exist (e.g. Gartner, Forrester), these reports do not provide a detailed analysis of key security metrics such as global exposure rates, vulnerabilities (frequency and severity), zero-day frequency, and exploit availability, amongst other security-focused metrics.

Perhaps more importantly, while a recent NCSC ‘Forgivable vs. Unforgivable’ framework establishes a method for objective long-term assessment, it is prohibitively time consuming to apply. JUMPSEC have thus developed ‘Forgivability’ as an open-source automation tool to enable rapid large-scale vendor assessment.

As we summarise key data points, this consultative paper will seek to answer the following questions:

• Given an apparent consensus within the cyber security industry that certain edge device vendors are disproportionally at fault for increasing vulnerability rates – how have major providers performed based on an objective analysis of open-source data?
• Irrespective of vendor statistics – as most organisations must choose a secure edge access solution and accept a degree of operational risk – what are the optimal strategies to build controls around this unavoidable risk in the age of remote working?

The analysis period for this report runs from 2021 to the end of Q2 2025. As an independent cyber security consultancy seeking to advise and protect our clients, JUMPSEC are not affiliated to any of the technology providers analysed and have made every effort to report objectively.

JUMPSEC have conducted several phases of open-source analysis of edge device vendors and products across the following phases of research:

• Baselining edge device vendors by financial size to provide context for particularly high or low vulnerability rates. It is important to remember that the largest or most exposed providers may not necessarily be poorly developed, as they may simply receive the most ‘free pen-tests’.
• Establishing the baseline of exposure and popularity in edge device exploitation from an attackers’ perspective by analysing exposure via public infrastructure reconnaissance tools.
• Illustrating the availability of exploits via dark web analysis and available threat Intelligence (e.g. Exploit DB, CISA’s KEV database, and wider industry threat intelligence as of H1 2025.
• Analysis of leading edge device vendors, primarily within the following edge device sub-categories[1], focused on Virtual Private Networks (VPNs) and Firewalls.
• Collecting and analysing vulnerability, bug bounties & zero-day and data.
• Conducting ongoing dark web and industry report analysis and to indicate exploit availably.
• Providing considerations for alternative control strategies.

Vulnerability data has been compiled from NVD records and verified against open-source CVE databases, vendor advisory listings and available threat intelligence reporting.

For context, the NCSC’s ‘Forgivable vs. Unforgivable’ framework has recently reframed this issue, providing a method to assess historically poor development that incorporates CVEs, KEV, and EPSS amongst other indicative sources.

Rather than being influenced by subjective and narrowly directed criticism of products or CVEs, commonplace today, this NCSC-backed framework provides organisations with a more objective, data-informed method to assess vendors’ security performance over a long-term period. However, as the effort required to apply the ‘Forgivable vs. Unforgivable’ framework is realistically too time consuming and technically complex for many organisations to operationalise. JUMPSEC have chosen to proactively develop a tool to automate the process.

JUMPSEC have developed ‘Forgivability’, a tool which automates the process of assessing vendors for vulnerability exposure and evaluating the strength or weakness of development and vulnerabilities and classifying them easy, medium, or hard level of difficultly to avoid.

It is worth acknowledging that widely used and exposed VPNs and Firewalls are a certainly a priority for some threat actors, but not all.

Even within the category of financially motivated ransomware groups, threat actors such as CL0P and FIN7 have a track record for dedicating substantial effort to identifying sophisticated zero-day exploits and would be unlikely to rely primarily on the exploitation of known edge device CVEs as their predominant route to initial access. Conversely, a multitude of threat groups are known to frequently rely on indiscriminate mass-scanning and exploitation of exposed services.

This implied knowledge was evidenced by a uniquely insightful intelligence event in February 2025, as Black Basta ransomware’s chat logs were leaked. Black Basta clearly prioritised VPN exploitation as a key initial access vector, developing a bespoke BRUTED framework which could enable unauthorised initial access to vulnerable or misconfigured versions of major edge devices.

The following is an abstract yet useful visualisation of how ransomware groups favour certain initial access strategies, which in turn can drive a dependence on exploiting known CVEs in edge devices.

As for geopolitically motivated threats, while attackers will gain initial access by any means necessary, we do know, for example, that Chinese-based, espionage-focused Salt Typhoon have persistently targeted known router CVEs across 2024/’25. Conversely, other nation-state actors motivated by opportunistic financial gain (e.g. North Korean APT43 or BlueNoroff) consistently opt to socially engineer initial access, with little evidence of vulnerability exploitation.

Therefore, it is important for organisations to understand the initial access strategies deployed by their higher probability adversaries. Those with an inadequate level of threat modelling, defence in depth, or those who have not explored non-typical technical edge device set-ups or vendor selections may benefit from the defensive strategies discussed in What’s next.

One may assume a given provider with high vulnerability rates is guilty of poor development practices, but it is important to remember that they may simply be receiving a disproportionate number of ‘free pen-tests’ from malicious attackers and offensive security professionals seeking to identify CVEs or bug bounties. Large vendors typically have an outsized number of devices that are discoverable via the public internet at a given moment in time and, excluding some notable exceptions, this generally correlates with total CVE figures.

Therefore, to establish a baseline of exposure, and relative scope for mass exploitation of edge devices from an attackers’ perspective – JUMPSEC have analysed the average level of exposure over in Q1 and Q2 2025 for major edge device providers via Shodan and Censys. For example, major VPN vendors are shown below.

The average proportionate exposure for major VPN vendors over H1 2025.

Although a minor consideration, we have illustrated edge device providers’ financial size. This predominantly serves as context for the relative success that certain providers appear to have had in reducing the total number and severity of vulnerabilities over the past five years.

Cisco are by far the largest financial entity of analysed edge device vendors.

Whilst we highlight this primarily to explain why total devices exposure may be higher or lower, this may also have contributed to Cisco’s reasonable success in reducing vulnerabilities in recent years – at least compared to other vendors who have publicly pronounced their ‘commitment to secure development’ but failed to reduce vulnerabilities over time.

JUMPSEC have chosen to analyse several widely used VPN technologies – not selected due to significant technical differences – but to easily display and understand the CVE substantial database graphically. Each graphic contains CVE:

• Frequency: Count vulnerabilities over a specified period (the last 5 years).
• Severity: CVSS scores are included which calculate the average severity for each vendor.

As we interpret the total CVE figures, remember that vendors may assign multiple CVEs to closely related vulnerabilities affecting similar code or devices. This splitting of related issues into multiple CVEs may inflate total CVE counts and can give the impression of poor security hygiene, yet it could also be viewed a sign of vendor transparency and a mature vulnerability disclosure process.

That said, over the long term, a higher volume of CVEs remains a reasonable indication of the broader attack surface and the likely increased patching burden an organisation will face.

One is struck by the degree to which Ivanti and, to a lesser extent, Palo Alto, suffered CVEs in 2024. Worryingly for SonicWall users, H1 2025 appears to be an increasingly vulnerable period. 

However, JUMPSEC stress that this knowledge alone is limited. Organisations must recognise that notable disparities exist and can quickly emerge as threat actors seek to opportunistically ‘swarm attack’ technologies that are perceived to be particularly vulnerable. This means regular attack surface management is essential to continually monitor high-risk edge devices, and should be used in combination with analytical tools such as ‘Forgivability’ to support secure technology procurement choices.

When we include total CVEs across vendors’ technology stack, the data correlates with the proportionate size of major VPN and Firewall providers (particularly Cisco and Fortinet).

Naturally, there are a host of major VPN vendors JUMPSEC have not analysed such as Citrix, Juniper, F5, or popular alternative open-source providers, such as WireGuard. Again, JUMPSEC encourage organisations to utilise open-source tooling such as ‘Forgivability’ tooling to conduct rapid large-scale vendor assessments.

There is plenty of great analysis on specific SonicWall CVEs (such as Watchtowr’s most recent analysis), but to zoom out for a moment, SonicWall may also be suffering the same ‘swarm attack’ phenomenon as Ivanti in 2024, and non-VPN victims like Progress Software (MOVEit) back in 2023. After that seismic 0 day, Progress Software went from a single ZDI tracked 0-day in 2023 to a massive 29 disclosed across 2024, as bug bounty hunters and threat actors alike swarmed their products to surface vulnerabilities.

SonicWall vulnerabilities with public and potential exploits from 2021-H1 2025 indicate that another opportunistic ‘swarm attack’ on a VPN vendor. 

Despite several new SonicWall CVEs in 2025, most of the public or potentially exploited vulnerabilities aren’t new. Many CVEs marked as having public or potential exploits this year relate to vulnerabilities first published years or even decades ago, only now receiving increased attention through updates, advisories, or renewed exploitation.

Exploitable CVEs that are 10+ years old are still relevant, weaponised, and may be exploited.

This indicates that attackers are exploiting the inherent weaknesses in outdated or poorly maintained technologies where organisations commonly overlook or deprioritise patching. Even if a CVE seems ‘old’, the persistent use of historic vulnerabilities is a reminder that proactive management doesn’t mean exclusively focusing on the latest headline grabbing flaw.

Hypothetical vulnerabilities are irrelevant without the ability to exploit them.

To illustrate the current availability of exploits for edge devices, JUMPSEC have analysed dark web forums and marketplace, and a range of open-source threat Intelligence, e.g. Exploit DB, CISA’s KEV database, and wider industry threat intelligence across of H1 2025.

The Known Exploited Vulnerability (KEV) catalogue identifies vulnerabilities that are actively being exploited in the wild and are considered high priority for remediation by government agencies, critical infrastructure and enterprises alike.

This chart shows the number of Known Exploited Vulnerabilities (KEVs) listed in the CISA KEV catalogue for six major vendors — Cisco, Fortinet, SonicWall, Ivanti, Check Point, and Palo Alto Networks — between 2022 and 2025  

With new critical vulnerabilities for VPNs regularly dominating cyber security headlines today, one might assume that underground marketplaces are awash with edge device exploits. However, this is not always the case. Exploits for VPN appliances—especially zero-days or pre-auth RCEs—remain extremely valuable and are often sold privately or traded in closed groups rather than posted on open forums.

The screenshots above demonstrate the range of platforms analysed—from relatively accessible forums like Probiv (above), to more obscure marketplaces and sophisticated leak sites that require significant effort to access or infiltrate.   

As threat actors leverage diverse channels from open or obscured marketplaces, Telegram groups, ransomware leak sites, and forums to trade or share exploits, enumerating the precise number of VPN exploits on the market is close to impossible. JUMPSEC have however analysed a sample of 8 accessible dark web marketplaces, to estimate the proportionate popularity of specific edge device exploits in 2025.

At time of writing, JUMPSEC identified ~10 edge device vulnerabilities in total, with less than half specifically relating to VPNs. While the covert nature of edge device trading is a factor, threat actors like Black Basta have already demonstrated that 0-days or exploits often aren’t needed when thousands of VPN portals still allow basic credential guessing.

Irrespective of individual vendor performance, a degree of risk acceptance must be held by organisations using edge devices, particularly in the post-pandemic remote working world.

While some organisations have sought to transition away from traditional VPN and SSL VPN solutions to Zero trust Architecture (ZTA) others cannot, due to implementation complexity, operational dependency, the cost of change or simply a lack of trust.

Those unwilling to switch to ZTA have turned to open-source VPN solutions such as WireGuard or OpenVPN. This is often due to their transparency when it comes to security audits, as they allow organisations to verify the integrity and security of the codebase, thus reducing concerns over hidden or emerging vulnerabilities in proprietary solutions. WireGuard has a simplified, modern codebase compared to older VPN protocols, which can reduce the attack surface and make it more resilient to exploitation.

Regardless of the technology type, JUMPSEC’s advice is to choose edge device solutions that can be tailored to your specific environment, and to remain vigilant on the following:

• Visibility: Ensure your chosen vendor enables comprehensive logging. Explore open-source options and consider how you structure your internal infrastructure for optimal visibility.
• Avoid Misconfiguration: Carefully assess the privileges you grant. Consider the level of access and permissions you allow, and ensure configurations are tightly controlled to minimise errors.
• Defence in Depth: Always assume a breach. Implement multiple layers of security, including zero-day protection on the device, to mitigate risks in the event of an attack.
• Reduce Your Attack Surface: Where possible, limit the number of exposed services, devices, or connections. Minimising potential points of entry is a crucial step in reducing vulnerabilities.

For UK organisations looking for practical guidance, the NCSC’s factsheet on managing edge devices provides valuable insights. For those keen to explore an entirely new set up, the new NIST framework for Zero Trust Architecture (ZTA) provides significant technological guidance.

While an incredibly detailed and useful resource, it is important to recognise that the guidance may not place enough emphasis on the need for the right security philosophy and appropriate policy to be applied across key people and processes within an organisation. It is essential to get the technology set up correctly, but successful implementation of ZTA requires more than just the right tools as the right people and processes are fundamental to achieving long-term, sustainable security.