- An independent audit found no critical, high or medium severity issues.
- Only one low severity issue occurred and was resolved immediately
- This reinforces Mullvad’s no-logging policy, confirming that user data remains private
Mullvad, one of the best VPN services for online privacy, has once again opened its doors to an independent review.
In August 2025, Swedish security consultancy Assured Security Consultants carried out a comprehensive penetration test of Mullvad’s web application. The findings, published in a detailed report and highlighted in Mullvad’s recent blog post, reinforce the service’s long-standing claim that it never logs user data.
The audit covered all public components of Mullvad’s online presence, including the website, the Onion Tor-only service, the rsync configuration, and the internal content management system (CMS). Each of these elements was examined for common attack vectors, misconfigurations, or any signs of hidden data collection.
Although most of the assessment was found to be error-free, auditors identified only one low-severity input validation issue. Mullvad responded immediately with a follow-up check in late September, confirming that the fix was effective. Below we break down the specific components that were looked at.
An independent security audit of our web application has just been carried out by Assured. The assessment did not reveal any critical, high or medium severity issues. Learn more here: https://t.co/E42w6JQvRgOctober 23, 2025
Report praises Mullvad’s ‘good security practices’
Assured’s penetration test began with a thorough examination of the public web interface, looking for typical web application vulnerabilities such as SQL injection, cross-site scripting, and authentication bypass. None of these high-impact vulnerabilities were discovered, indicating that the codebase and deployment pipelines are well-hardened.
The rsync system, which maintains content consistency across all servers, showed no exploitable weaknesses. Proper authentication and integrity controls were in place, ensuring that only authorized changes could be applied to synced files.
The internal CMS used by Mullvad’s staff received particular praise. It’s separate from both the public Internet and Mullvad’s own VPN network, meaning only authorized internal machines can access it. This strict network segmentation reduces the attack surface and protects the publishing flow from external intrusions.
A low severity input validation issue was detected. Some form fields did not have an explicit length limit, which could have allowed unusually large inputs to consume excessive resources or expose crude error messages. Mullvad quickly fixed this issue, with Assured’s report confirming that it was “resolved in accordance with our recommendations.”
The report concludes that Mullvad follows “good security practices,” which include regular code reviews and timely deployment of patches.
Why it matters to Mullvad users
Mullvad’s privacy claims have survived not only technical audits, but also real-world legal pressures. At the start of 2024, the Swedish police executed a search warrant at Mullvad’s office in Gothenburg, hoping to uncover subscriber data. The raid produced nothing because Mullvad does not keep IP addresses, traffic logs, or connection timestamps, further proving Mullvad’s no-logging policy.
Independent security audits have repeatedly validated Mullvad’s technical guarantees. Indeed, Mullvad subjected its VPN applications to scrutiny in late 2024 as auditors conducted penetration tests and source code audits, concluding that Mullvad applications had “a high level of security.”
Assured’s audit of Mullvad’s web platform did not reveal any critical, high or medium issues. Together, these independent reviews create a multi-layered case in which Mullvad’s privacy promises withstand both legal pressure and technical scrutiny.
Mullvad users can therefore be sure that their online activity remains invisible, making Mullvad one of the most trusted choices for anyone who values their online privacy.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
