Third‑Party Audit Reveals Critical Vulnerabilities in Malwarebytes Privacy VPN, Mitigation Ongoing
What Happened – Malwarebytes disclosed the results of its first independent audit of the infrastructure that powers Malwarebytes Privacy VPN and AzireVPN. The audit identified two critical, two medium and two low CVSS‑rated issues; one critical flaw has been patched and the remaining critical and low findings are being remediated.
Why It Matters for TPRM –
- Audit transparency validates a vendor’s privacy claims and helps assess residual risk.
- Unaddressed critical vulnerabilities could expose client traffic or metadata, impacting data‑privacy compliance.
- Ongoing remediation timelines inform contract‑level risk‑mitigation clauses (e.g., SLA penalties, right to audit).
Who Is Affected – Cloud‑based SaaS VPN providers; enterprises that rely on VPNs for remote workforce security, especially those in regulated sectors (finance, health, government).
Recommended Actions –
- Review the audit report and verify that remediation milestones are met before the next reporting period.
- Update third‑party risk questionnaires to include audit frequency, CVSS thresholds, and evidence of remediation.
- Consider supplemental controls (e.g., network segmentation, traffic monitoring) until all critical findings are resolved.
Technical Notes – The audit uncovered a CVSS 9.4 critical issue in the server‑provisioning workflow, plus additional medium‑ and low‑severity bugs in the VPN software stack. No evidence of user‑activity logging was found; access controls were deemed “tightly controlled.” Source: Malwarebytes Labs – VPN Software Audit