New research has revealed security vulnerabilities in many tunneling protocols which can allow attackers to perform a wide range of attacks.
“Internet hosts that accept tunneled packets without verifying the identity of the sender can be hijacked to conduct anonymous attacks and secure access to their networks,” Top10VPN said in a collaborative study with KU Leuven professor and researcher Mathy Vanhoef.
More than 4.2 million hosts, including VPN servers, ISP home routers, core Internet routers, mobile network gateways, and content delivery network (CDN) nodes, were identified as affected. China, France, Japan, the USA and Brazil lead the list of the most affected countries.
Successful exploitation of the flaws could allow an adversary to abuse a susceptible system as a one-way proxy as well as conduct denial-of-service (DoS) attacks.
“An adversary could exploit these security vulnerabilities to create one-way proxies and spoof source IPv4/6 addresses,” CERT Coordination Center (CERT/CC) said in the consulting room. “Vulnerable systems can also allow access to an organization’s private network or be used to perform DDoS attacks.”
The vulnerabilities are rooted in the fact that tunneling protocols such as IP6IP6, GRE6, 4in6, and 6in4, which are primarily used to facilitate data transfer between two disconnected networks, do not authenticate or encrypt traffic without proper security protocols such as Internet Protocol Security (IPsec).
The lack of additional security fences opens the door to a scenario where an attacker could inject malicious traffic into the tunnel, a variant of the flaw that was indicated earlier in 2020 (CVE-2020-10136).
They have been assigned the following CVE IDs for the protocols in question −
- CVE-2024-7595 (GRE and GRE6)
- CVE-2024-7596 (Generic UDP Encapsulation)
- CVE-2025-23018 (IPv4-to-IPv6 and IPv6-to-IPv6)
- CVE-2025-23019 (IPv6-to-IPv4)
“An attacker simply needs to send a packet encapsulated using one of the affected protocols with two IP headers,” explained Top10VPN’s Simon Milliano.
“The outer header contains the attacker’s source IP address with the vulnerable host’s IP address as the destination. The source IP address of the inner header is the IP address of the vulnerable node, not the attacker. The destination IP address is the target address of the anonymous attack.”
Therefore, when a vulnerable host receives a malicious packet, it automatically removes the outer IP address header and forwards the inner packet to its destination. Given that the source IP address in the inside packet is that of a vulnerable but trusted host, it can bypass network filters.
As protections, it is recommended to use IPSec or WireGuard to provide authentication and encryption, and to accept tunneled packets only from trusted sources. At the network level, it is also recommended to implement traffic filtering on routers and intermediate devices, perform deep packet inspection (DPI), and block all unencrypted tunneled packets.
“The impact on victims of these DoS attacks can include network congestion, service disruptions as resources are consumed by traffic congestion, and failure of overloaded network devices,” Milliano said. “It also opens up opportunities for further exploitation, such as man-in-the-middle attacks and data interception.”
