- Security researchers discover multiple vulnerabilities in different tunneling protocols
- The bugs allowed threat actors to launch DoS attacks and more.
- Majority of vulnerable endpoints were in China
Millions of VPN servers, home routers and other Internet hosts could have multiple vulnerabilities that could allow malicious actors to carry out anonymous attacks and give them access to private networks, experts have warned.
New research from Mathy Vanhoef, professor at KU Leuven University in Belgium, doctoral student Angelos Beitis and Top10VPN discovered vulnerabilities in several tunneling protocols: IPIP/IP6IP6, GRE/GRE6, 4in6 and 6in4, and received these identifiers: CVE-2024-7595, CVE-2025-23018, CVE-2025-23019 and CVE-2024- 7596.
VPN tunneling protocols are methods used to securely transmit data between a user’s device and a VPN server by encapsulating it in an encrypted tunnel. Common protocols include PPTP, L2TP/IPsec, OpenVPN and WireGuard, each offering different levels of speed, security and compatibility.
Millions of potential victims
The most vulnerable primarily work to encapsulate one type of IP packet (IPv4 or IPv6) into another for network routing purposes. Unlike VPN-specific protocols, these are typically used for network transport rather than encryption or secure communication.
The research argues that poorly configured systems accept tunneled packets without confirming the identity of the sender, making it “trivial to inject traffic into the tunnels of vulnerable protocols.”
A malicious actor could send a packet encapsulated using one of the affected protocols with two IP headers, in which the outer header contains the attackers source IP address along with the IP address of the vulnerable host as destination. The source IP address in the internal header is that of the vulnerable host’s IP address, while the destination IP address is that of the target.
So when the vulnerable host receives the packet, it strips the outer IP header and forwards the inner packet to its destination, paving the way for creating a one-way proxy and abusing the bug to launch DoS attacks, DNS spoofing, and more.
The researcher said he scanned the Internet for vulnerable hosts and found 4.26 million, including various VPN servers, ISP-provided home routers, core Internet routers, gateways and mobile network nodes, and CDN nodes, including most were located in China.
“All vulnerable hosts can be hijacked to launch anonymous attacks because external packet headers containing an attacker’s real IP address are removed. These attacks, however, are easily traceable to the compromised host, which can then be secured,” the researchers explained.
“Spoofing-capable hosts can have ANY IP address as the source address in the internal packet, so not only does an attacker remain anonymous, but the compromised host also becomes much harder to discover and to be secured,” they added.
