VPN technology protects only on the transmission path against man-in-the-middle attacks, not against malware, phishing, or modern tracking—and concentrates trust rather than eliminating it.
The critical vulnerability CVE-2026-50571 with CVSS 9.3 allows attackers to establish VPN sessions without valid passwords and has been actively exploited against organizations worldwide since May.
Unauthenticated attackers can gain VPN access without a password through a certificate verification flaw in IKEv1 configuration and are being exploited by ransomware groups.