Recent studies reveal significant security vulnerabilities across various tunneling protocols, potentially allowing malicious actors to execute diverse attacks. Researchers from Top10VPN, collaborating with KU Leuven’s Mathy Vanhoef, indicate that Internet hosts accepting tunneling packets without sender verification can be exploited for anonymous attacks, jeopardizing the security of network infrastructures.
The investigation identified approximately 4.2 million vulnerable hosts, including VPN servers, ISP home routers, core internet routers, mobile network gateways, and content delivery nodes. The countries most impacted by these vulnerabilities include China, France, Japan, the United States, and Brazil.
When exploited, these vulnerabilities could enable attackers to misuse compromised systems as one-way proxies or orchestrate denial-of-service (DoS) attacks. According to the CERT Coordination Center (CERT/CC), an adversary may exploit these flaws to create one-way proxies, spoof IP addresses, and gain unauthorized access to private networks, exacerbating the risks of DDoS attacks on organizations.
The vulnerabilities stem from tunneling protocols such as IP6IP6, GRE6, 4in6, and 6in4, primarily designed for secure data transmission between disconnected networks. However, the lack of robust security measures, including proper authentication and encryption standards such as Internet Protocol Security (IPsec), allows attackers to inject harmful traffic.
The ability to inject malicious traffic represents an evolution of a flaw previously noted in 2020, identified as CVE-2020-10136. Newly identified vulnerabilities have associated Common Vulnerabilities and Exposures (CVE) identifiers, including CVE-2024-7595, CVE-2024-7596, CVE-2025-23018, and CVE-2025-23019.
As detailed by Top10VPN’s Simon Migliano, an attacker can craft a packet using one of the affected protocols, embedding two IP headers—one for the attacker’s source and one for the vulnerable host. Upon receipt, the vulnerable system removes the outer header, forwarding the inner packet to the target, thereby circumventing security filters placed on the network.
To mitigate risks, it is advisable to implement protocols like IPSec or WireGuard for authentication and encryption, and only accept tunneling packets from trusted sources. Additionally, employing traffic filtering on routers, conducting deep packet inspections, and blocking unencrypted tunneling packets can fortify defenses against these vulnerabilities.
Victims of successful DoS attacks may experience network congestion, service disruptions due to resource overload, and the potential crashing of critical network devices. These attacks may also open further avenues for exploitation, such as man-in-the-middle operations and data interception.
Updated research identifies a variety of novel DoS attacks enabled by these vulnerabilities, including Routing Loop DoS and economic denial of sustainability (EDoS), which could lead to significant operational disruptions. The amplification factors associated with specific attack types—like Tunnel-Temporal Lensing—underscore the severity of the issue.
For professionals aiming to protect their networks, understanding these vulnerabilities and the associated MITRE ATT&CK tactics—such as initial access, privilege escalation, and exploitation—is crucial in developing a comprehensive security strategy.
For further information, please refer to the comprehensive study titled “Haunted by Legacy: Discovering and Exploiting Vulnerable Tunnelling Hosts,” authored by Angelos Beitis and Mathy Vanhoef.
