Organization and team

The False Promises of Consumer and Enterprise VPNs

The consumer VPN doesn't make you anonymous. The enterprise VPN concentrator sitting at the edge of the internet has become one of the most attacked appliances in existence. A reality check on two widespread misconceptions.

Published 5 min read Critical

Last reviewed:

Network cabling in a datacenter

A VPN doesn’t remove risk. It only decides who you hand that risk to.

The VPNEncrypted tunnel between your device and a server, masking your IP and traffic from your ISP. is sold as a universal security solution. In reality, these are two very different products sharing the same name, and both rest on a misunderstanding. On the consumer side, you are sold anonymity that the technology cannot deliver. On the enterprise side, for twenty years organizations have placed a high-privilege box at the edge of the internet — and it is now one of the most attacked appliances in existence.

What a consumer VPN does, and doesn’t do

“Military-grade encryption.” The phrase appears in every advertisement. It refers to AES-256 — a public, free, twenty-five-year-old standard that your bank and messaging apps already use. That is not a flaw; it is good encryption. But as a selling point, the phrase is meaningless. Your connected toaster could make the same claim.

What a VPN actually does: it encrypts traffic between your device and the provider’s server, and hides your IP address from your internet service provider. Useful on public Wi-Fi, to bypass geographic restrictions, or to keep your traffic private from your ISP.

What it does not do: make you anonymous. Cookies, browser fingerprintingIdentifying a device by unique browser and system characteristics., and your logged-in accounts continue to track you. And the VPN provider itself sees your real IP address and your traffic. You have not eliminated the witness to your browsing — you have moved it from your ISP, which you are stuck with, to a company you chose without being able to verify its claims.

“No logs” is a promise, not proof. What counts is an independently published audit, or a court order that confirms there was genuinely nothing to hand over. Several providers who swore they kept nothing have been caught logging. Brand ownership adds to the confusion: dozens of apparently competing VPNs share the same parent company, sometimes the same one running the comparison site recommending them.

The VPN concentrator — the most exposed box in the enterprise

The enterprise VPN is a different beast. A SSL-VPNA remote-access gateway permanently exposed to the internet, a high-privilege single point of entry. concentrator, such as Fortinet devices, is a box placed at the edge of the internet. It exposes a permanently listening service that every scanner on the planet knows: Shodan continuously indexes exposed FortiGate appliances. It terminates TLS, holds credentials and session tokens in memory, and once a user authenticates, it often opens access to a flat network.

That is the ideal target profile: exposed, high-privilege, a single point of passage. Fortinet is the most targeted because it is the most widely deployed, not because it is uniquely at fault. Citrix and Ivanti face exactly the same problem on their own gateways.

The record is documented and spans years. In 2020, mass exploitation of CVE-2018-13379 leaked VPN credentials from approximately 50,000 Fortinet appliances. This was followed by a series of critical remote code execution flaws in FortiOS SSL-VPN — CVE-2022-42475, CVE-2023-27997, CVE-2024-21762 — all actively exploited and listed in the CISA Known Exploited Vulnerabilities catalog. These flaws do not stay theoretical: real intrusions begin on the VPN appliance and spread via lateral movementAn attacker's progression from an initial foothold to other systems on the same network. across the network. The pattern repeated in early 2026, with a large-scale Fortinet credential leak and joint CISA/NCSC alerts.

You have not eliminated the risk. You have moved it to a box the entire world can reach.

Shield — shield.travel

What actually reduces risk

On the consumer side, choose based on verifiable criteria: a published independent audit, a clear jurisdiction, transparent ownership, and an open protocol like WireGuard or OpenVPN. Not a slogan. And keep in mind what a VPN does not do: for public Wi-Fi, widespread HTTPS already protects the substance of most traffic.

On the enterprise side, the fix comes first from discipline, then from architecture. The management interface of a border appliance has no business being on the internet. Multi-factor authentication is everywhere. Exposed appliances are patched at the pace of the CISA catalog, not quarterly. And since credentials may have already leaked silently, treat them as compromised and rotate them.

The underlying model — one login opens the whole network — has run its course. The direction is application-level access, where each resource is reached based on identity and device posture, with no single listener planted at the border for any scanner to find.

Angle de lecture

The VPN you paid for to “be anonymous” mostly shifts your trust from your ISP to a company whose promises you cannot verify. Its legitimate uses exist: public Wi-Fi, bypassing geographic restrictions, keeping traffic private from your ISP. Anonymity is not among them. Choose based on a published independent audit and transparent ownership — never on “military-grade.”

Your VPN concentrator is your most exposed and most privileged device. Audit every VPN and management interface reachable from the internet, remove management from the public-facing side, enforce MFA, and patch at the pace of the CISA KEV. Assume credentials have already leaked and rotate them. In parallel, commit to moving from flat network access toward application-level access.

“We have a VPN” is not an answer to “are we protected.” The box everyone can reach is a single point of failure at the edge of your network. The two questions that matter: how fast do you patch that box, and does a single login still open the entire network. Everything else is an architecture question you need to mandate and fund, not delegate to hope.

Action items

  • N1 No VPN appliance management interface is reachable from the internet.
  • N1 Multi-factor authentication covers all VPN and management access.
  • N1 Border appliances are patched at the pace of the CISA KEV catalog, not quarterly.
  • N2 VPN and management credentials are treated as potentially leaked and rotated accordingly.
  • N2 The move from flat network access to application-level access is committed to and budgeted.
  • N3 Consumer VPN selection is based on a published independent audit, not an advertising slogan.

Sources

Related articles