A cross-agency security audit finds that 67 percent of agencies are using VPN solutions with known unpatched vulnerabilities, creating significant risk for the 1.2 million federal teleworkers.
A cross-agency security audit of federal telework infrastructure found that 67 percent of the 87 agencies audited are operating VPN solutions containing at least one known exploitable vulnerability for which patches have been available for more than 30 days.
The audit identified 1,847 distinct VPN appliances across federal agencies operating with critical or high-severity vulnerabilities rated 9.0 or above on the CVSS scale. Threat intelligence indicates that 23 of these vulnerability types are being actively exploited in campaigns targeting federal remote access infrastructure.
The federal telework population has expanded to approximately 1.2 million employees — nearly 38 percent of the total federal civilian workforce — making secure remote access infrastructure a matter of national security significance.
CISA's preferred alternative to legacy VPN — Zero Trust Network Access — has been adopted by 31 percent of agencies for at least some remote access use cases. Agencies using ZTNA for at least 50 percent of remote access had zero critical VPN vulnerabilities.
GovAcademy's Secure Remote Work for Agencies course (GA-022) addresses both the immediate VPN vulnerability management challenge and the longer-term ZTNA transition pathway, covering the M-22-09 requirements driving the ZTNA migration.
The audit's findings reinforce the relevance of GovAcademy's Zero Trust Architecture course (GA-001), which positions ZTNA as the strategic alternative to legacy VPN infrastructure.
CISA has issued a Telework Security Guide update alongside the audit report, providing specific technical guidance for patching the most commonly exploited VPN vulnerabilities. GovAcademy's Secure Remote Work course has been updated to reference the new guide.