A critical zero-day vulnerability in a widely used VPN software has potentially exposed 50 million users' browsing data to interception. The flaw, tracked as CVE-2026-2847, allows attackers to bypass the VPN tunnel and see unencrypted traffic.
Security researchers at Google's Project Zero discovered the vulnerability, which affects all versions of the VPN client released in the past 18 months. The flaw exists in the key exchange protocol and can be exploited through a man-in-the-middle attack on the user's local network.
The VPN provider has released an emergency patch and is urging all users to update immediately. However, many users have automatic updates disabled, meaning millions may remain vulnerable for weeks or months.
The incident highlights the irony that VPN software — used specifically for privacy and security — can itself become a vulnerability vector. Security experts recommend verifying VPN provider audit reports and choosing services that have undergone recent independent security assessments.
CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog and is requiring federal agencies to patch or disable the affected software within 72 hours. Evidence suggests that state-sponsored actors were aware of the vulnerability before its public disclosure.
