CAPTCHA is an effective mechanism for protecting computers from malicious bots. With the development of deep learning techniques, current mainstream text-based and traditional image-based CAPTCHAs have been proven to be insecure. Therefore, a major effort has been directed toward developing new CAPTCHAs by utilizing some other hard Artificial Intelligence (AI) problems. Recently, some commercial companies (Tencent, NetEase, Geetest, etc.) have begun deploying a new type of CAPTCHA based on visual reasoning to defend against bots. As a newly proposed CAPTCHA, it is therefore natural to ask a fundamental question: are visual reasoning CAPTCHAs as secure as their designers expect? This paper explores the security of visual reasoning CAPTCHAs. We proposed a modular attack and evaluated it on six different real-world visual reasoning CAPTCHAs, which achieved overall success rates ranging from 79.2% to 98.6%. The results show that visual reasoning CAPTCHAs are not as secure as anticipated; this latest effort to use novel, hard AI problems for CAPTCHAs has not yet succeeded. Then, we summarize some guidelines for designing better visual-based CAPTCHAs, and based on the lessons we learned from our attacks, we propose a new CAPTCHA based on commonsense knowledge (CsCAPTCHA) and show its security and usability experimentally.