Cure53 has assessed NordVPN’s security once again

What Cure53 tested

In 2025, NordVPN commissioned Cure53 to conduct a broad security assessment covering both our applications and our infrastructure. Cure53 is a Germany-based penetration testing firm with more than 15 years of software testing experience.

The auditors ran a series of white-box and gray-box penetration tests (pentests) and conducted extensive source code reviews. Nineteen senior testers worked closely with our engineers and were granted full access to all materials required for testing. The assessment took place in May, June, and October 2025 and spanned several dozen working days across the project.

The scope touched many different NordVPN components, including:

• Android, iOS, Windows, macOS, and Linux applications.
• Browser extensions for Chrome, Edge, and Firefox.
• Threat Protection components, including malware scanning and network filtering.
• NordAccount authentication and MFA flows.
• Core APIs for the VPN, Threat Protection, Meshnet, and account services.
• VPN servers and supporting infrastructure.
• Containerized services, authentication logic, and internal access controls inside the server environment.

What the Cure53 audit found

Despite the relatively broad scope of the audit, Cure53 found no critical vulnerabilities across any part of the assessment. And while the auditors did flag several items as of high severity and requiring attention, all of the identified issues have already been fixed, and each item has been verified by Cure53 to be functioning as expected. The remaining findings ranged from medium to informational (lower-impact matters that do not threaten user security but help us tighten internal protections). They were typical for a security review of this scale. Alongside these findings, the auditors highlighted a few areas where the service performed especially well.

Secure client applications

The audit revealed that our applications follow strong security practices across all major platforms. On mobile, the Android and iOS apps implement strict security practices, including secure data storage, controlled WebView usage, biometric protections, and device binding. On desktop, the auditors noted secure IPC design, robust firewall logic, and proper validation of deep links and file operations.

Strong authentication and account protection

The NordAccount system also stood up well to Cure53’s testing, showing secure token handling, consistent input validation, and the correct use of industry standards such as PKCE. The auditors confirmed that session isolation and state validation helped prevent common authentication bypass attempts.

Well-structured and reliable APIs

Backend APIs showed strong access control enforcement, thorough sanitization, and safe handling of sensitive actions. Core components, including referral systems, subscription flows, and Meshnet APIs, worked as intended under detailed testing.

Robust Threat Protection logic

Cure53 reviewed the malware detection components and found that hash-based and machine-learning approaches were implemented safely. The auditors did not identify bypass methods for scanning engines or traffic filtering mechanisms.

Secure and resilient infrastructure

When Cure53 inspected our server environment, they confirmed that our VPN servers are properly hardened and employ restrictive firewall rules and strong container isolation. The auditors concluded that NordVPN’s overall hardening strategy forms a strong foundation for server security.

How NordVPN responded

Once Cure53 delivered its findings, our engineers began improving the service right away. The issues flagged as most urgent were addressed first, and Cure53 later confirmed that the corrective work functioned as intended. The remaining items were either resolved or reviewed with the auditors to make sure the safeguards we already had in place remained appropriate.

Some findings were known limitations or accepted risks — situations where changing a component would create new complications without improving security. In these cases, we worked with Cure53 to validate that the existing protections remain sufficient.

Both of the full assessment reports are available to NordVPN users through their accounts or via the links below:

Keeping NordVPN secure

Security is an area that requires ongoing effort, and regular reviews such as this one help us identify potential issues early and prevent new cyber threats from taking hold. That is why we will continue to invest in strengthening NordVPN by running independent security audits and refining our infrastructure wherever possible.

Security work never ends, and each new assessment helps us make the service even safer. The latest Cure53 test results show that NordVPN’s applications and systems remain well-protected, and we will continue to improve them for the benefit of all users who rely on our service. We would also like to thank the entire Cure53 team for its thorough work and cooperation throughout this assessment. Their expertise supports our commitment to keeping NordVPN secure.