A VPN gateway is supposed to be the calm, trusted doorway that lets your staff work from anywhere without exposing the office network. For a growing number of businesses, it has quietly become the opposite: an unpatched, internet-facing device that attackers scan for by name, because they know exactly which flaws to try first. Entire scanning campaigns exist purely to catalogue which organisations are still running a vulnerable version, ready to be exploited the moment an opportunity arises.
Remote access became urgent, and security became an afterthought
When remote working expanded rapidly, VPN appliances went from a background utility to mission-critical infrastructure almost overnight. Many were deployed under pressure, configured once, and left alone. Vendors regularly disclose serious vulnerabilities in these very appliances, some allowing full remote code execution without any credentials at all, and attackers move fast once a patch reveals what the flaw actually was, often reverse-engineering the fix within days to build working exploit code.
An external network pen testing engagement exists precisely to catch this gap, checking not just whether your VPN is patched today but whether its configuration, certificates, and authentication methods would hold up against the techniques attackers are actively using against similar devices right now, rather than the techniques that were current when the appliance was first installed.

The gateway is only as strong as what sits behind it
Even a fully patched VPN can be undermined by weak authentication. Single-factor logins, shared credentials for contractors, or split-tunnelling configurations that let compromised home devices talk directly to internal systems all turn a secure-looking gateway into a soft entry point. Attackers do not need to break the encryption. They need one reused password or one poorly configured client to walk straight through the front door, and both are far easier to find than a flaw in the underlying cryptography, which is precisely why they rarely bother looking for one.
William recalled a case that made this risk concrete for a client who assumed their VPN was untouchable.
“The appliance itself was fully patched, which the client was proud of, but the contractor account logging in had no multi-factor authentication and a password we cracked from a public breach list within minutes. Patching solves one problem and leaves the door only half closed.”
— William Fieldhouse, Director of Aardwolf Security Ltd
That gap between a patched device and a genuinely secure one is where most VPN compromises actually happen. It is rarely the software vendor’s fault entirely, and rarely the client’s fault entirely either. It is the combination that gets missed, because each side assumes the other has covered it and nobody checks the join between them.
Make your remote access a strength, not a liability
Patch VPN appliances promptly, enforce multi-factor authentication without exception, and review who still has remote access long after they needed it. Treat every contractor account and every rarely used login as a standing risk that needs a reason to exist, not a convenience left running out of habit. Ask, too, whether your team would even notice an unusual login pattern on that gateway before an attacker had already moved further inside. A penetration testing quote from Aardwolf Security will tell you precisely where your remote access setup stands against current attack techniques, so reach out before an attacker tests it for you.
