Recently, a critical vulnerability carrying a severity score of 9.3 was announced for Check Point remote access deployments. The flaw centres on the deprecated Internet Key Exchange version 1 protocol. This is a standard that has been obsolete for years. Yet, it is still sitting on the perimeter of countless organisations, acting as an open door. Threat actors, specifically affiliates of the Qilin ransomware group, are already exploiting it in the wild.
This is not an isolated incident. The 2025 VPN Risk Report highlights that virtual private networks remain the top exploited area for enterprise infrastructure. If we look at the Known Exploited Vulnerabilities catalog maintained by the Cybersecurity and Infrastructure Security Agency, it is heavily populated with perimeter security appliances. Just this year, we have seen major warnings issued for Palo Alto firewalls and Fortinet systems. The Canadian Centre for Cyber Security recently issued stark warnings regarding active exploitation of these very appliances.
We have discussed previously how the time to exploit approaches zero. Once a vulnerability is public, automated scanners find your exposed endpoints in minutes. The fundamental issue is that a virtual private network is the epitome of absolute trust. It is the exact opposite of a zero trust architecture.
The Operational Nightmare of Absolute Trust
When you provision a virtual private network connection, you are effectively running a long, invisible ethernet cable right into your deep infrastructure. It grants broad network access rather than narrow, application-specific access.
Compounding this architectural flaw is the operational nightmare. These software clients are set up and forgotten. They reside on the laptops of third-party vendors, contractors, and partners. They span multiple management domains where your internal remote monitoring and management tools cannot reach. When a zero-day vulnerability drops, you face an impossible task. You cannot force an update on a machine you do not control. You are left relying on external partners to patch their clients, while your perimeter remains critically exposed.
Modernising Access with Strong Identity
The industry must stop attempting to patch legacy network bridges and start modernising access. The answer lies in strong, simple identity. We need to transition away from network-level trust and move to modern, web-based standards utilising HTTPS and TLS 1.3.
By deploying an Identity-Aware Proxy, you remove the network layer from the equation entirely. Users authenticate with strong multi-factor authentication and single sign-on. They are granted access to specific applications rather than the entire corporate network. If a partner device is compromised, the blast radius is contained strictly to the authorised application, rather than providing a pivot point into your core infrastructure.
It is time to accept that perimeter-based network access is a liability. Transitioning to identity-first security is the only pragmatic way to protect your resources in an era where the time to exploit is practically non-existent.