New research by Mathy Vanhoef, a professor at KU Leuven University in Belgium, and PhD student Angelos Beitis, reveals that over 4 million systems worldwide, including VPN servers and home routers, are vulnerable to attacks due to tunneling protocol flaws. These vulnerabilities are primarily caused by misconfigured systems that accept tunneling packets without verifying the sender’s identity. The researchers found that various tunneling protocols, such as IPIP/IP6IP6, GRE/GRE6, 4in6, and 6in4, are vulnerable to exploitation, allowing attackers to exploit the flaws and launch a range of malicious attacks.
Tunneling protocols are essential for transporting data across different networks
Tunneling protocols are essential for transporting data across different networks, often used to run protocols like IPv6 over IPv4. However, they are susceptible to abuse if misconfigured. The research shows that when systems fail to authenticate packets properly, attackers can send specially crafted packets that contain a victim’s IP address. These packets are then forwarded to the victim by the vulnerable host, providing attackers with a method to launch attacks such as anonymous DoS attacks, DNS spoofing, and even gain access to internal networks and IoT devices.
The researchers conducted an internet-wide scan, identifying over 4.26 million vulnerable hosts, which include VPN servers, home routers provided by ISPs, core internet routers, mobile network gateways, and CDN nodes. Over 1.8 million of these vulnerable hosts are spoofing-capable, meaning attackers can conduct anonymous attacks by using any IP address as the source address for the inner packet. This allows attackers to remain undetected, making it significantly harder for network defenders to identify and mitigate the threat.
The study reveals that a majority of these vulnerable systems are located in China, followed by France. CVE identifiers CVE-2024-7595, CVE-2025-23018, CVE-2025-23019, and CVE-2024-7596 have been assigned to these vulnerabilities. The researchers have shared technical details of their findings and offered recommendations for mitigating the risks. They suggest that individual hosts, ISPs, and other network owners can implement defense measures to secure vulnerable systems and prevent attackers from leveraging these flaws for malicious purposes.
