- Security researchers find multiple vulnerabilities in different tunneling protocols
- Bugs allowed threat actors to mount DoS attacks and more
- Most of the vulnerable endpoints were in China.
Millions of VPN servers, home routers and other Internet hosts could have multiple vulnerabilities that could allow threat actors to conduct anonymous attacks and grant them access to private networks, experts warned.
New research by Mathy Vanhoef, professor at KU Leuven University in Belgium, PhD student Angelos Beitis and Top10VPN discovered the vulnerabilities in multiple tunneling protocols: IPIP/IP6IP6, GRE/GRE6, 4in6, and 6in4, and received these identifiers: CVE-2024-7595, CVE-2025-23018, CVE-2025-23019, and CVE-2024-7596.
VPN tunneling protocols are methods used to securely transmit data between a user’s device and a VPN server by encapsulating it within an encrypted tunnel. Common protocols include PPTP, L2TP/IPsec, OpenVPN, and WireGuard, each offering varying levels of speed, security, and compatibility.
Millions of potential victims
Vulnerables primarily function to encapsulate one type of IP packet (IPv4 or IPv6) within another for network routing purposes. Unlike VPN-specific protocols, these are generally used for network transport rather than encryption or secure communication.
The research maintains that misconfigured systems accept tunnel packets without confirming the sender’s identity, making it “trivial to inject traffic into the tunnels of vulnerable protocols.”
A malicious actor could send an encapsulated packet using one of the affected protocols with two IP headers, where the outer header contains the attackers’ source IP with the vulnerable host’s IP as the destination. The source IP of the internal header is the IP of the vulnerable host, while the destination IP is that of the destination.
Then, when the vulnerable host receives the packet, it removes the external IP header and forwards the internal packet to its destination, paving the way for the creation of a one-way proxy and abusing the bug to execute DoS attacks, DNS spoofing, and more.
The researcher said they scanned the Internet for vulnerable hosts and found 4.26 million, including several VPN servers, ISP-provided home routers, core Internet routers, mobile network gateways and nodes, and CDN nodes, most of which which were located in China.
“All vulnerable hosts can be hijacked to perform anonymous attacks, as external packet headers containing the attacker’s real IP address are removed. However, these attacks are easily traceable to the compromised host, which can then be protected,” the researchers explained.
“Phishing-capable hosts can have ANY IP address as the source address in the internal packet, so not only does an attacker remain anonymous, but the compromised host also becomes much more difficult to discover and protect.” “they added.
