- An independent audit found no critical, high or medium problems
- Only one low-severity problem appeared and was fixed immediately
- This reinforces Mullvad’s no-logs policy, confirming that user data remains private
Mullvad, one of the best VPN services for online privacy, has once again opened its doors to independent scrutiny.
In August 2025, the Swedish security consulting firm Assured Security Consultants conducted a comprehensive penetration test of Mullvad’s web application. The findings, published in a detailed report and highlighted in Mullvad’s latest blog post, reinforce the service’s long-standing claim that it never logs user data.
The audit covered all public-facing components of Mullvad’s online presence, including the website, the Tor-onion service, the rsync setup, and the internal content management system (CMS). Each of these elements was examined for common attack vectors, misconfigurations, or signs of covert data collection.
While the majority of the assessment came clean, the auditors identified a single input validation issue of low severity. Mullvad immediately responded with a follow-up verification in late September, confirming that the fix was effective. Below we break down the specific components that were investigated.
An independent security audit of our web app has just been completed by Assured. The assessment found no critical, high or medium problems. Read more here: https://t.co/E42w6JQvRg23 October 2025
The report praises Mullvad’s “good safety practices”
Assured’s penetration testing started with a thorough examination of the public web interface, examining classic web application vulnerabilities such as SQL injection, cross-site scripting, and authentication bypass. None of these severe vulnerabilities were detected, indicating that the code base and deployment pipelines are well hardened.
The rsync system, which keeps content consistent across servers, showed no exploitable weaknesses. Proper authentication and integrity checks were in place, ensuring that only authorized changes could be applied to synced files.
The in-house CMS used by the Mullvad staff received particular praise. It is separated from both the public internet and Mullvad’s own VPN network, meaning that only authorized internal machines can reach it. This strict network segmentation reduces the attack surface and protects the publishing workflow from external intrusion.
A low severity input validation issue was found. Certain form fields lacked explicit length limits, which could have allowed unusually large inputs to consume excessive resources or expose raw error messages. Mullvad fixed this issue promptly, and Assured’s report confirmed that it was “resolved according to our recommendations.”
The report concludes that Mullvad has “good security practices” which include regular code reviews and timely patch deployment.
Why this matters to Mullvad users
Mullvad’s privacy claims have survived not only technical audits, but real-world legal pressure. In early 2024, Swedish police executed a search warrant at Mullvad’s Gothenburg office in hopes of uncovering subscriber data. The raid yielded nothing because Mullvad does not retain IP addresses, traffic logs, or connection timestamps, further proving Mullvad’s no-logs policy.
Independent security audits have repeatedly validated Mullvad’s technical security measures. In fact, Mullvad put its VPN apps under scrutiny in late 2024 when auditors performed penetration tests and source code audits, concluding that Mullvad apps have “a high level of security.”
Assured’s audit of Mullvad’s web platform revealed no critical, high or medium issues. Together, these independent investigations create a layered record that Mullvad’s privacy promises withstand both legal pressure and technical scrutiny.
Mullvad users can therefore trust that their online activity remains invisible, making Mullvad one of the most reliable choices for anyone who values their online privacy.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
