Review of AzireVPN and Malwarebytes Privacy VPN

X41 performed a white box penetration test against the AzireVPN framework, which is used to power the Malwarebytes Privacy VPN service. The full report can be found here: https://www.x41-dsec.de/static/reports/X41-Azire-Audit-Public-Report-2026-04-02.pdf.

The scope included the source code for all parts of the infrastructure, including the web interface, API and the VPN servers. Further, X41 received the hardware running one VPN server for a hardware penetration test. Therefore, X41 was able to gain insight into the entire stack, which was invaluable to assess the security properties of the whole system.

Results

Six vulnerabilities were discovered in the software of AzireVPN and seven issues were found related to the hardware of the VPN server. All vulnerabilities were of low or medium impact or have significant initial barriers. Overall, AzireVPN appears to have a high security level and is well-positioned to protect from threats.

The most serious vulnerability would allow an attacker to modify the Debian image during the build process of the VPN server image, if they were able to manipulate the Debian image while it is being downloaded over a secure connection. This would either require the attacker to be able to break TLS or exert control over Debian’s distribution server.

In conclusion, the software and hardware showed a low number of issues with limited impact or high initial barriers.