Cybersecurity Vulnerabilities from Unpatched VPNs and Software
Reading Time
5 to 8 minutes
Would you feel comfortable knowing your healthcare provider has been using known-exploited versions of VPN software putting all of your personal information at risk? Software that many businesses rely on to function such as VPNs, PDF readers, and browsers are all silent gateways that attackers can take advantage of to infiltrate.
At Cork Cyber , we proactively monitor over a million devices to safeguard against threats. As part of this effort, we analyze software inventories across these devices that come from RMMs and other tools to identify vulnerabilities and potential risks. Discover how your industry’s sanitation practices compare to others and uncover potential, concerning issues within your own environment that you might be overlooking.
Which industries are managing these vulnerabilities the best?
When we look at the different vulnerabilities among sectors, one industry stands out for its effective sanitization of software vulnerabilities compared to the rest: educational services. Out of a sample of 7,000 devices, only 15.2% devices found to have a vulnerability (routine to critical). This sector’s success is driven by a conversion towards cloud-centric OS environments (such as ChromeOS) and centralized management tools. Chromebooks alone were found to reduce support labor by 92% in comparison to standard desktops and laptops. In comparison to the healthcare and social assistance sector, the difference is alarming. In a much larger sample size of 38,793 devices we found more than a third (34.4%) of devices contained some sort of vulnerability. A device in a healthcare setting is more than twice as likely to be vulnerable as one in a classroom, despite much more at stake. For context, across all sectors we found on average 29.3% of devices are considered vulnerable.
So, what exactly are triggering these alarms?
When we look beyond the standard browser-based threats that affect every user, the most critical risks are seen in the operational tools industries rely on daily: VPNs, PDF Readers, and database management systems. While browser vulnerabilities are frequent, they are often low in severity due to auto-updates. Many times a user has multiple browsers installed in which they keep their browser of choice updated, while the other browsers remain out of date due to never opening them. The real “silent killers” are the infrastructure tools that facilitate remote work and storage; software that is often trusted, installed, and then forgotten.
In the healthcare sector, our most concerning finding is the massive prevalence of vulnerable SonicWall NetExtender clients (1,358 devices). Just this year there has been a surge in attacks where threat actors have exploited defects such as CVE-2024-40766 and CVE-2024-53704 to bypass multi-factor authentication entirely. By targeting these unpatched clients, attackers can hijack active SSL VPN sessions to infiltrate into networks with the same permissions as a doctor or administrator. A breach here doesn’t stop a sale or cause downtime, it puts patient care and safety at risk. If an unpatched NetExtender client lets ransomware in, it could lock up patient histories, delay surgeries and more, making the management of these vulnerabilities an absolute necessity. In 2025 it was found that 72% of U.S. healthcare organizations that faced a cyberattack had a disruption to patient care.
The financial and construction sectors face a different but equally dangerous VPN hurdle, with a heavy reliance on Cisco Secure Client (formerly AnyConnect). These industries often rely on Cisco because of it being a trusted industry standard for enterprise security, however, its large prevalence also makes it a prime target. When hundreds of devices are left unpatched, it makes a backdoor into the network much easier. A compromised VPN could allow attackers to steal proprietary blueprints and bid data in the construction industry. In finance the stakes are even higher with the ability to steal clients’ financial records. In 2025 the “Velvet Ant” group targeted many sectors, including financial, to steal sensitive records and intellectual property by exploiting Cisco vulnerabilities and others. By utilizing these specific VPN flaws, they were estimated to have stolen over $244 million by late 2025.
However not all threats come via remote access tools. The professional, scientific, and technical services sector as well as the manufacturing sector’s danger lies deep within the backend. For Microsoft SQL Server 2019 alone, we found 2,768 vulnerable devices in the former and 1,028 vulnerable devices in the latter. Leaving these vulnerabilities unattended can allow hackers to not only steal sensitive client records, they can also deploy ransomware to encrypt the database files. The compromised business is then threatened to either pay a ransom fee or have their files leaked on the internet and files remain encrypted. It’s very easy for this to lead to the end of many small businesses. Half of all small businesses only have enough cash to stay open on average for 27 days with no income. Meanwhile, the average length of recovery for a ransomware attack in 2025 was up to 27 days.
Lastly, out of date PDF readers were the third biggest point of entry among various sectors. While these tools are viewed as harmless utilities, a single unpatched reader can turn a routine document review into a full network compromise. We found 161 devices in the educational services sector with a Foxit PDF Reader vulnerability as well as 341 devices utilizing Adobe Acrobat Reader in the public administration sector with a vulnerability. Threat actors have been seen exploiting these flaws and embedding malicious code into what seems to be innocent PDF assignments or administrative forms. When a teacher or administrator opens the file, the exploit triggers silently in the background executing code that can deploy spyware like Recmos RAT (remote access trojan) to harvest credentials. Not only does this compromise personal administrative records, but it also affects student records alike. RAT’s such as Recmos allow webcams and microphones to be remotely activated which can also threaten the safety of minors.
Do you truly know what lives on your network?
The vulnerabilities we’ve discussed so far on SQL servers, corporate VPNs, and PDF readers are all business-critical tools. It comes as no surprise they are installed; they are essential for operations. But the question every business leader and MSP must ask is: are you aware of everything else?
Some businesses allow individuals to bring their own device (BYOD), but if devices aren’t properly monitored and sanitized, the corporate networks drastically become at risk. It takes only one compromised device running unauthorized or vulnerable software to bridge the gap between a secure environment and the public internet. While analyzing vulnerabilities and software inventories we’ve found many employees treating company assets like personal laptops, introducing significant risk.
One of the most frequent unauthorized categories we observed was the presence of personal VPNs. We found about 4,000 instances of ExpressVPN, NordVPN, Surkshark, and Private Internet Access installed on corporate workstations. While employees may have legitimate reasons to have these installed, it creates a “blind spot” where data can be exfiltrated (or malware introduced) without the security team ever seeing it happen.
Even more concerning was the presence of torrent clients (such as Deluge uTorrent) and other peer-to-peer file sharing software. This isn’t just a potential legal issue regarding copyrighted material, it’s a direct pipeline for identity theft. According to a 2024 report by Flare, nearly 41% of all stolen credentials sold on the Dark Web originated from devices infected via pirated software and P2P games.
However not every unauthorized app we found was “malicious”, more so reminders that everyone is human. Across all industries we found thousands of installs of Spotify and other personal media software. We also checked for the presence of applications associated with gaming such as Steam, Epic Games, and Discord. While gaming software is more expected in education environments, its prevalence in the information sector (also seen in other business orientated sectors) exposes a critical gap in endpoint management.
MSPs must take it upon themselves to better enforce strict software policies on corporate assets. Whether operating under a BYOD policy or simply failing to lock down corporate hardware, the lack of proper monitoring and sanitization puts networks at drastic risks. They need to both block unauthorized executables and question why recreational software is being run on devices intended for secure business operations.
What can you do to be aware of these issues?
Awareness is the first line of defense; you cannot patch what you do not know exists. The NIST Cybersecurity Framework (CSF) 2.0 is a great reference to ensure you are checking all boxes. In short you need to: maintain a complete software inventory, implement continuous vulnerability monitoring, and adopt an enterprise patch strategy.
Continuous monitoring can feel like a massive undertaking, largely because standard RMMs fall short. Most tools focus strictly on Windows updates and popular apps like Chrome, leaving you to manually track patches for everything else. To bridge this gap, Cork developed its own software vulnerabilities tool to help provide suggestions and comprehensive visibility that traditional RMMs miss.
Rather than focusing solely on popular applications, Cork evaluates your entire software inventory. It maps your software against official vulnerabilities from the National Vulnerability Database (NVD) by NIST and cross-references them with emerging threats actively being exploited and identified on the dark web. Instead of just flagging the problem that others miss, Cork also gives clear remediation steps for each CVE that is detected and the easiest way to solve the vulnerability.
Visit corkinc.com to learn more, or schedule a live demo with the team to see your hidden vulnerabilities today.