For the careful VPN customer today, so much depends upon a privacy promise, made, too often, by a company without proof.
No-logs policies, modern encryption algorithms, a refusal to store sensitive customer information, and full ownership of servers are just some of the features that contribute to a strong VPN. Yet they’re the same features that are often impossible for any individual customer to confirm.
This is why it is so important for VPN providers to participate in a third-party audit, which allows external security experts to review the software and hardware that a company has developed and deployed to operate its VPN service. Like a home inspection that exposes signs of damage, a VPN third-party audit exposes the security vulnerabilities that may reside in one of the most important pieces of privacy technology today.
So, we are proud to have participated in our first-ever third-party audit for the infrastructure that now powers both Malwarebytes Privacy VPN and AzireVPN—the two VPN products that we operate and maintain. This dual structure is the result of our purchase of AzireVPN in late 2024. Both products use the same server software and hardware to provide customers with VPN connections and encryption services.
The audit of Malwarebytes Privacy VPN’s software found:
- 2 issues labeled as “Critical”
- 0 issues labeled as “High”
- 2 issues labeled as “Medium”
- 2 issues labeled as “Low”
The audit determined issue severity—from Critical to Low—by assigning technical scores that aligned with Common Vulnerability Scoring Standard (CVSS). This industry-wide system is used by security researchers around the world to measure the severity of vulnerabilities discovered in software, hardware, and firmware. The higher the number, the more severe the vulnerability.
According to the final report:
“Overall, the systems demonstrate a strong security level and are well positioned to support user privacy, appearing to be on a good security level compared to systems of similar size and complexity. During our assessment, we did not observe evidence of user activity logging, and access to systems is tightly controlled, with no unnecessary remote, local, or SSH access exposed. While vulnerabilities were identified, most have already been addressed, including one critical issue, with remaining items in the process of being resolved.”
As recognized by auditors, our engineers have already fixed one “Critical” vulnerability, two “Medium” vulnerabilities, and one “Low” vulnerability. Our team is also actively working to fix one remaining critical vulnerability and one remaining low vulnerability in the software stack.
The issues
X41 D-Sec found two critical issues.
The first critical issue, which received a CVSS score of 9.4, concerns the initial setup and operation of the servers that Malwarebytes uses for its VPN.
When connecting a new server to the network, Malwarebytes instructs that server to download and install what is called a “Debian image.” This is simply a downloadable file that installs the Debian operating system on a physical piece of computing hardware. It’s a process that is repeated countless times across the computing world every day to allow for the quick, trusted, and dispersed deployment of machines across a network.
The researchers discovered that, while the Debian image was downloaded from a secure URL, a small piece of verified data—called the checksum—did not have its signature validated using the Debian CD signing key.
Signatures are paramount in the software world, as they prove that a program that has been downloaded onto a device is the actual program that was published by its developer. Without a proper signature check, an attacker could deliver a modified version of a program and still trick a computer into thinking it was legitimate.
We recognize the severity of this vulnerability and have already implemented a fix.
The second critical issue, which received a CVSS score of 9.3, also concerns the behavior of Malwarebytes’ VPN servers upon booting up.
To come online, Malwarebytes’ VPN servers utilize the Preboot Execution Environment (PXE) for Linux, which allows for the delivery and installation of boot files across a network—as opposed to booting from local files. The security researchers warned that this process “lacks any form of cryptographic signature—so a ‘Man in the Middle’ attack may lead to an attacker’s code being executed on the client system.”
Such an attack would require significant physical access to the servers in our data centers. Still, we understand the importance of this vulnerability and are working to address it.
The other four issues revealed the potential for replay attacks, port relay misuse, observable traffic, and a padding oracle that can be abused with enough persistence. Three of those issues—concerning replay attacks, observable traffic, and the padding oracle—have already been fixed, and our team is also working on a fix for the last issue.
Transparently private
There’s a myth out there that staying private online is about having something to hide. For a VPN provider like Malwarebytes, the reality is the opposite: We help people stay private online by showing them where we can improve.
Not every company engages in a third-party audit, and not every company would be willing to share the results of said audit. In fact, a reported 77% of Android VPNs contained significant flaws regarding transparency and accountability—a fact rarely communicated by the VPNs themselves.
But what matters most in this effort, and for us, isn’t ego. What matters most is your privacy. With these results, we hope you can make a better and more informed decision about who you can trust with your internet traffic and activity.
Malwarebytes thanks the penetration testing firm X41 D-Sec for conducting its audit, along with the security researchers involved: Djamal Touazi, JM, Markus Vervier and Robert Femmer.
You can read the full audit below.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.