Shawn and Andres analyzed NVD-sourced data focusing on the top 16 vendors of SSL VPN products. One clear pattern emerged: a dramatic spike in vulnerabilities in 2024, following a lull from 2016–2022. “With COVID, we hit a point where the remote workforce had just expanded very rapidly,” said Andres. “SSL VPNs became the go-to, and attackers followed the popularity.”

Andres noted this isn't unique to VPNs. “Attackers gain understanding of a technology, and then they build exploits. You saw it in OT and ICS too,” he explained.

Perhaps the most eye-opening finding: Ivanti (formerly Pulse Secure) accounted for nearly 40% of all SSL VPN vulnerabilities, far outpacing competitors. “It’s not what they’re doing—it’s what they’re not doing,” Shawn remarked pointedly, referencing poor input validation and patch clustering across product versions.

Andres added crucial context: many of these vulnerabilities are not standalone issues. “You can see the explanation in the CISA forensics reports—these are chained attacks. Each exploit in the chain gets its own CVE, but it's often one root issue.”

The duo didn’t just analyze the what—they dug into the why. And the answer is unsettling. “We're still struggling with input validation—something we were talking about in 2005,” Andres lamented. He pointed out that SSL VPNs ride on top of TLS, but at their core, they’re just web applications—and that means they’re vulnerable to every known category of web-based attack.

“TLS is a myth in many cases. It encrypts the stream, not the data,” Andres continued. Misconceptions about TLS security, combined with the adoption of outdated or hastily deployed infrastructure, has led to an environment ripe for exploitation.

The most chilling insight? Many vulnerabilities required no authentication at all. As Shawn explained, “30% of these just require a single payload for remote command execution. That’s critical.”

Andres underscored how rapidly attackers can take advantage of exposed VPN instances: “We had a cloud POC with default credentials live, and within two hours it got hit.”

The key takeaway isn’t just alarm—it’s action.

• Assess SSL VPN infrastructure now—especially if using Ivanti.
  
  
• Scrutinize input validation and web server modules handling requests.
  
  
• Shift to proactive vulnerability and exposure management, integrating MITRE ATT&CK mapping and real-world exploit tracking.
  
  

As Andres emphasized, “We’ve outlived the usefulness of TLS as a sole defense.” Organizations need layered, context-aware security postures and visibility into which CVEs actually map to MITRE attack chains.

This webinar pulled no punches. As Shawn and Andres revealed, the SSL VPN ecosystem is under siege—not because attackers got smarter, but because defenders trusted outdated models and failed to evolve.

It’s time to stop assuming VPNs are secure just because they say they are. As Andres put it, “The fact that we're still here in 2025 talking about the same input validation problems as in 2005 is just mind-blowing.”