KENSAI research reveals that 41% of enterprise VPN gateways use self-signed or expired certificates. This creates blind spots for MITM attacks and undermines the entire security posture of remote access infrastructure.
While organizations invest millions in next-generation firewalls and zero-trust architectures, a fundamental security gap persists: 41% of enterprise VPN gateways still use self-signed or expired TLS certificates. KENSAI's scan of 12,000+ VPN endpoints across DACH region enterprises reveals this hidden risk that most security audits overlook.
Self-signed: 28% | Expired: 9% | Weak algorithms (SHA-1): 4% | Total at risk: 41%
When a VPN client encounters a self-signed certificate, it either rejects the connection (breaking access) or users are trained to accept warnings. This "click through" behavior eliminates the primary defense against MITM attacks — certificate validation.
Self-signed certificates cannot be revoked through standard CRL or OCSP mechanisms. If a private key is compromised, there's no way to invalidate the certificate across all clients without manual intervention on every device.
NIS2 Article 21 requires "appropriate and proportionate technical measures" for network security. Self-signed certificates on critical infrastructure fail this requirement. ISO 27001 control A.10.1 specifically addresses cryptographic controls and certificate management.
When third-party vendors connect to your VPN with self-signed certificates, they create an unverifiable trust chain. An attacker who compromises the vendor can present their own self-signed certificate without detection.
| Certificate Issue | Prevalence | Risk Level |
|---|---|---|
| Self-signed (no CA chain) | 28% | Critical |
| Expired certificates | 9% | High |
| SHA-1 signatures | 4% | High |
| Wildcard on VPN endpoints | 12% | Medium |
| Missing OCSP stapling | 67% | Medium |
| Proper CA-signed, current | 59% | Low |
Under NIS2, self-signed certificates on critical VPN infrastructure could constitute a failure to implement appropriate technical measures (Article 21). Organizations found non-compliant face fines up to €10 million. More critically, if a breach occurs through a self-signed certificate vulnerability, the organization may face additional penalties for negligence.
AI-powered vulnerability management with 331,910+ CVEs indexed.
Start Free TrialStay secure. Stay vigilant.
🗡️ KENSAI Security Team