CP
cyberpings
VulnerabilitiesHIGH

Malwarebytes VPN - Third-Party Audit Reveals Vulnerabilities

Featured image for Malwarebytes VPN - Third-Party Audit Reveals Vulnerabilities
MWMalwarebytes Labs
Summary by CyberPings Editorial·AI-assisted·Reviewed by Rohit Rana
Ingested:
🎯

Basically, Malwarebytes had experts check their VPN for security problems.

Quick Summary

Malwarebytes Privacy VPN completed a third-party audit revealing critical vulnerabilities. The company is addressing these issues to enhance user security and privacy. Trust in your VPN provider is essential, and Malwarebytes is committed to transparency.

What Happened

Malwarebytes has recently completed its first third-party audit of the Malwarebytes Privacy VPN and AzireVPN infrastructure. This audit is crucial for verifying the security measures and privacy promises made by VPN providers. Conducted by the penetration testing firm X41 D-Sec, the audit aimed to uncover any vulnerabilities that could compromise user privacy.

Audit Findings

The audit revealed a total of six vulnerabilities categorized by severity:

  • 2 Critical
  • 0 High
  • 2 Medium
  • 2 Low

The critical vulnerabilities were particularly concerning, with one receiving a CVSS score of 9.4 and the other a score of 9.3. These scores indicate a high level of risk, necessitating immediate attention.

Details of Critical Issues

The first critical issue involved the server setup process. Malwarebytes' servers download a Debian image to install the operating system. However, the audit found that the checksum for this image was not properly validated, allowing potential attackers to deliver a modified version of the software.

The second critical issue related to the Preboot Execution Environment (PXE) used during server boot-up. This process lacked cryptographic signatures, making it susceptible to Man in the Middle attacks. Although significant physical access would be required for such an attack, the risk remains serious.

What’s Being Done

Malwarebytes has already addressed one critical vulnerability and is actively working on fixing the remaining critical issue, along with other identified vulnerabilities. The company emphasizes its commitment to user privacy and transparency, stating that it does not log user activity and tightly controls access to its systems.

Industry Implications

This audit highlights the importance of third-party evaluations in the VPN industry. Many VPN providers do not undergo such scrutiny, leaving users unaware of potential vulnerabilities. With 77% of Android VPNs reportedly having significant flaws, Malwarebytes aims to set a standard for transparency and accountability.

Conclusion

The results of this audit are a step forward for Malwarebytes and its users. By openly sharing the findings and actively addressing vulnerabilities, the company reinforces its commitment to user privacy. As the VPN landscape continues to evolve, regular audits will play a crucial role in ensuring the security and trustworthiness of these services.

🔒 Pro insight: The critical vulnerabilities identified underscore the necessity for continuous security assessments in VPN services to maintain user trust.

Original article from

MWMalwarebytes Labs
Read Full Article

Share

Related Pings

CRITICALVulnerabilities

Fortinet FortiClient EMS - Critical 0-Day Vulnerability Exploited

A critical zero-day vulnerability in FortiClient EMS is actively exploited. Fortinet has released emergency patches and urges immediate action from users.

Cyber Security News·
HIGHVulnerabilities

Video Conferencing Bug - CISA Orders Agencies to Patch

A serious vulnerability in TrueConf video conferencing software is being exploited by Chinese hackers. CISA has mandated a two-week patch deadline for federal agencies. Immediate action is essential to safeguard sensitive data and communications.

The Record·
HIGHVulnerabilities

Post-Deployment Vulnerability Detection - Rethinking Strategies

A new approach to vulnerability detection is needed post-deployment. Many organizations overlook risks from newly disclosed CVEs, leaving systems exposed. Rethinking strategies can enhance security.

OpenSSF Blog·
HIGHVulnerabilities

Mobile Vulnerabilities - Enterprises Struggle with Control

Mobile devices are increasingly vulnerable due to outdated software and hidden threats like Shadow AI. This puts sensitive enterprise data at risk. Organizations must act to secure their mobile environments.

SecurityWeek·
HIGHVulnerabilities

CVE-2026-33691 - OWASP CRS Whitespace Padding Bypass Alert

A new vulnerability in OWASP CRS allows attackers to upload dangerous files by exploiting whitespace in filenames. This affects many web applications, risking severe security breaches. Immediate updates are necessary to protect your systems.

Full Disclosure·
HIGHVulnerabilities

MetInfo CMS Vulnerability - PHP Code Injection Risk

A critical vulnerability in MetInfo CMS could let attackers execute arbitrary PHP code. Versions 7.9, 8.0, and 8.1 are at risk. Stay alert for updates and potential fixes.

Full Disclosure·