- Security researchers find multiple vulnerabilities in different tunneling protocols
- The bugs allowed threat actors to mount DoS attacks, and more
- The majority of vulnerable endpoints were in China
Millions of VPN servers, home routers, and other internet hosts could be carrying multiple vulnerabilities which could allow threat actors to perform anonymous attacks and could grant them access to private networks, experts have warned.
New research from Mathy Vanhoef, a professor at the KU Leuven university in Belgium, PhD student Angelos Beitis, and Top10VPN discovered the vulnerabilities in multiple tunneling protocols: IPIP/IP6IP6, GRE/GRE6, 4in6 and 6in4, and were given these identifiers: CVE-2024-7595, CVE-2025-23018, CVE-2025-23019 and CVE-2024-7596.
VPN tunneling protocols are methods used to securely transmit data between a user’s device and a VPN server by encapsulating it within an encrypted tunnel. Common protocols include PPTP, L2TP/IPsec, OpenVPN, and WireGuard, each offering varying levels of speed, security, and compatibility.
Millions of potential victims
The vulnerable ones primarily function to encapsulate one type of IP packet (IPv4 or IPv6) within another for network routing purposes. Unlike VPN-specific protocols, these are generally used for network transport rather than encryption or secure communication.
The research argues the misconfigured systems accept tunneling packets without confirming the identity of the sender, making it, “trivial to inject traffic into the vulnerable protocols’ tunnels.”
A malicious actor could send a packet encapsulated using one of the affected protocols with two IP headers, in which the outer header contains the attackers’ source IP with the vulnerable host’s IP as the destination. The inner header’s source IP is that of the vulnerable host IP, while the destination IP is of the target.
So, when the vulnerable host receives the packet, it strips the outer IP header and forwards the inner packet to its destination, paving the way for the creation of a one-way proxy, and abusing the bug to run DoS attacks, DNS spoofing, and more.
The researcher said they scanned the internet for vulnerable hosts and found 4.26 million, including various VPN servers, ISP-provided home routers, core internet routers, mobile network gateways and nodes, and CDN nodes, most of which were located in China.
“All vulnerable hosts can be hijacked to perform anonymous attacks, as the outer packet headers containing an attacker’s real IP address are stripped. These attacks are easily traceable to the compromised host, however, which can then be secured,” the researchers explained.
“Spoofing-capable hosts can have ANY IP address as the source address in the inner packet, so not only does an attacker remain anonymous, but the compromised host also becomes much harder to discover and secure,” they added.