New research has uncovered critical vulnerabilities in several widely used tunneling protocols, exposing millions of devices to potential exploitation. The findings highlight serious security gaps that could allow attackers to launch anonymous attacks, gain unauthorized access to networks, and disrupt services on a massive scale.
Millions of Devices at Risk Worldwide
A study conducted by Top10VPN, in collaboration with KU Leuven professor Mathy Vanhoef, has revealed that 4.2 million internet hosts are vulnerable to attacks due to flaws in tunneling protocols. These include VPN servers, ISP home routers, core internet routers, mobile network gateways, and CDN nodes.
China, France, Japan, the U.S., and Brazil lead the list of countries with the most affected systems, making this a global concern. Attackers can exploit these systems to carry out denial-of-service (DoS) attacks, create one-way proxies, and even bypass network filters.
How the Attacks Work
The vulnerabilities stem from the lack of authentication and encryption in protocols such as IP6IP6, GRE6, 4in6, and 6in4. These protocols facilitate data transfers between disconnected networks but fail to include adequate security measures like Internet Protocol Security (IPsec). This omission creates an opportunity for attackers to inject malicious traffic into a tunnel.
Simon Migliano from Top10VPN described the attack mechanism:
- The attacker sends a packet with two IP headers encapsulated using a vulnerable protocol.
- The outer header has the attacker’s source IP and the vulnerable host’s IP as the destination.
- The inner header falsely claims the source IP is from the vulnerable host, with the target’s IP as the destination.
When the host receives this packet, it strips the outer header and forwards the inner packet to the target. The target perceives the malicious packet as originating from the trusted host, bypassing network filters and leaving it open to further attacks.
CVE Identifiers Assigned to the Vulnerabilities
The vulnerabilities have been documented under the following CVE identifiers:
- CVE-2024-7595: GRE and GRE6
- CVE-2024-7596: Generic UDP Encapsulation
- CVE-2025-23018: IPv4-in-IPv6 and IPv6-in-IPv6
- CVE-2025-23019: IPv6-in-IPv4
These identifiers serve as critical references for organizations looking to address the security flaws.
Recommended Defenses to Mitigate Risks
Experts recommend several measures to prevent exploitation of these vulnerabilities:
- Authentication and Encryption: Use IPSec or WireGuard to secure tunneling protocols.
- Traffic Filtering: Implement filtering on routers and middleboxes to block unauthorized packets.
- Deep Packet Inspection (DPI): Conduct DPI to identify and reject malicious traffic.
- Restrict Tunneling Packets: Accept packets only from trusted sources.
- Block Unencrypted Packets: Prohibit all unencrypted tunneling traffic at the network level.
Organizations that fail to adopt these defenses risk falling victim to attacks that can cause network congestion, disrupt services, and enable further exploitation like man-in-the-middle attacks.
The Impact on Victims
The consequences of these attacks are severe. Overloaded network devices can crash, and network congestion can cripple internet services. For enterprises, the disruptions can lead to significant financial losses and damage to reputation.
Moreover, attackers can exploit these vulnerabilities to intercept sensitive data, posing a significant threat to user privacy and security.
A Reminder of Old Flaws
Interestingly, this isn’t the first time tunneling protocols have come under scrutiny. In 2020, a similar vulnerability (CVE-2020-10136) highlighted the same fundamental issue: the lack of adequate security measures in protocol design. The recurrence of such flaws underscores the urgency of adopting stricter security practices across the board.