Malwarebytes has completed the first independent security audit of its Privacy VPN infrastructure, revealing a generally strong security posture alongside critical vulnerabilities that are fixed or in the process of remediation.
The audit was conducted by German security firm X41 D-Sec between December 2025 and January 2026 as a white-box penetration test and source code review of the infrastructure powering both Malwarebytes Privacy VPN and AzireVPN.
Malwarebytes, a well-known cybersecurity vendor offering antivirus, endpoint protection, and privacy tools to millions of users globally, acquired AzireVPN in late 2024 and now operates both services on shared infrastructure. This unified platform formed the scope of the audit, which aimed to validate the company’s no-logs claims, infrastructure hardening, and resistance to both remote and physical attacks.
Critical flaws in the supply chain and boot process
The audit identified a total of 14 vulnerabilities, including two rated as critical, eight medium, and four low-severity issues. Notably, no high-severity flaws were found.
One of the most serious issues (CVSS 9.4) involved the deployment pipeline for VPN servers. Researchers discovered that while Debian OS images were downloaded over HTTPS, the cryptographic signature of the checksum file was not verified. This gap could allow attackers to substitute malicious system images under certain supply chain attack scenarios, potentially leading to full server compromise.
The second critical flaw (CVSS 9.3) affected the PXE-based boot process used by VPN servers. The lack of cryptographic verification in the boot chain means a man-in-the-middle attacker, particularly one with physical or network-level access, could inject malicious code during system startup.
Additionally, X41 identified a cryptographic design flaw in the VPN relay communication layer, where AES-CBC encryption was used without proper authentication. This could enable attackers to craft arbitrary control messages under specific conditions, exposing weaknesses in how authenticity and confidentiality were handled.
Physical security and hardware attack vectors
Beyond software, the audit included a hands-on hardware penetration test that uncovered multiple weaknesses in physical hardening. Despite Malwarebytes implementing measures like epoxy-sealed ports and disabled interfaces, researchers were able to bypass protections with relatively simple techniques.
In one case, the team physically accessed the system’s BIOS flash chip and extracted the BIOS password using a reversible XOR-based encoding scheme. They also demonstrated that pre-boot DMA attacks could be used to dump system memory and potentially extract sensitive data such as WireGuard private keys.
Other findings included incomplete protection of internal components, such as USB headers, BIOS chips, and PCIe interfaces, which could allow attackers with brief physical access to compromise servers.
Remediation efforts underway
Malwarebytes stated that it has already fixed one critical vulnerability, along with several medium and low-severity issues. The remaining critical flaw, related to the PXE boot chain, is still being addressed.
The audit also confirmed several positive security practices. VPN server images were found to disable logging and remote access mechanisms such as SSH by default, aligning with privacy-focused design goals. Furthermore, auditors reported no evidence of user activity logging and noted strict access controls across systems.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
