- An independent audit found zero critical, high, or medium-severity issues
- Only a low-severity issue surfaced and was fixed immediately
- This reinforces Mullvad’s no-logs policy, confirming user data stays private
Mullvad, one of the best VPN services for online privacy, has once again opened its doors to independent scrutiny.
In August 2025, Swedish security consultancy Assured Security Consultants completed a comprehensive penetration test of Mullvad’s web application. The findings, published in a detailed report and highlighted in Mullvad’s recent blog post, reinforce the service’s long-standing claim that it never logs user data.
The audit covered every public-facing component of Mullvad’s online presence, including the website, the Tor-only Onion service, the rsync setup, and the internal content management system (CMS). Each of these elements was examined for common attack vectors, misconfigurations, or any signs of hidden data collection.
While the bulk of the assessment came back clean, the auditors identified a single low-severity input-validation issue. Mullvad responded immediately with a follow-up verification in late September, confirming that the fix was effective. Below, we break down the specific components that were examined.
An independent security audit of our web app has just been completed by Assured. The assessment found no critical, high, or medium-severity issues. Read more here: https://t.co/E42w6JQvRgOctober 23, 2025
Report praises Mullvad’s “good security practices”
Assured’s penetration test began with a thorough examination of the public web interface, probing for classic web-application flaws such as SQL injection, cross-site scripting, and authentication bypass. None of these high-impact vulnerabilities were discovered, indicating that the codebase and deployment pipelines are well-hardened.
The Tor-only Onion service was found to be completely isolated from the broader internet, preserving the anonymity of users who choose to connect through Tor. This segregation prevents any correlation between Onion traffic and ordinary web traffic, reinforcing Mullvad’s privacy guarantees.
The rsync system, which keeps content consistent across servers, showed no exploitable weaknesses. Proper authentication and integrity checks were in place, ensuring that only authorized changes could be applied to synchronized files.
The internal CMS used by Mullvad staff received particular commendation. It’s separated from both the public internet and Mullvad’s own VPN network, meaning that only authorized internal machines can reach it. This strict network segmentation reduces the attack surface and safeguards the publishing workflow from external intrusion.
One low-severity input-validation issue was found. Certain form fields lacked explicit length limits, which could have allowed unusually large inputs to consume excessive resources or expose raw error messages. Mullvad patched this problem promptly, with Assured’s report confirming it was “fixed according to our recommendations.”
The report concludes that Mullvad has “good security practices”, which include regular code reviews and timely patch deployment.
Why this matters for Mullvad users
Mullvad’s privacy claims have survived not only technical audits but real-world legal pressure. In early 2024, Swedish police executed a search warrant on Mullvad’s Gothenburg office, hoping to uncover subscriber data. The raid produced nothing because Mullvad doesn’t retain IP addresses, traffic logs, or connection timestamps, further proving Mullvad’s no-logs policy.
Independent security audits have repeatedly validated Mullvad’s technical safeguards. Indeed, Mullvad put its VPN apps under scrutiny in late 2024 as auditors carried out penetration tests and source-code audits, concluding that Mullvad apps have “a high security level.”
Assured’s audit of Mullvad’s web platform uncovered no critical, high, or medium-severity issues. Together, these independent examinations create a layered record that Mullvad’s privacy promises withstand both legal pressure and technical scrutiny.
Mullvad users can therefore trust that their online activity remains invisible, making Mullvad one of the most dependable choices for anyone who values their online privacy.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
https://cdn.mos.cms.futurecdn.net/JhREgRH5uPRCdcKqDqxEAH-2498-80.jpg
Source link
