New research has uncovered security vulnerabilities in multiple tunneling protocols that could allow attackers to perform a wide range of attacks.
“Internet hosts that accept tunneling packets without verifying the sender’s identity can be hijacked to perform anonymous attacks and provide access to their networks,” Top10VPN said in a study, as part of a collaboration with KU Leuven professor and researcher Mathy Vanhoef.
As many as 4.2 million hosts have been found susceptible to the attacks, including VPN servers, ISP home routers, core internet routers, mobile network gateways, and content delivery network (CDN) nodes. China, France, Japan, the U.S., and Brazil top the list of the most affected countries.
Successful exploitation of the shortcomings could permit an adversary to abuse a susceptible system as one-way proxies, as well as conduct denial-of-service (DoS) attacks.
“An adversary can abuse these security vulnerabilities to create one-way proxies and spoof source IPv4/6 addresses,” the CERT Coordination Center (CERT/CC) said in an advisory. “Vulnerable systems may also allow access to an organization’s private network or be abused to perform DDoS attacks.”
The vulnerabilities are rooted in the fact that the tunneling protocols such as IP6IP6, GRE6, 4in6, and 6in4, which are mainly used to facilitate data transfers between two disconnected networks, do not authenticate and encrypt traffic without adequate security protocols like Internet Protocol Security (IPsec).
The absence of additional security guardrails opens the door to a scenario where an attacker can inject malicious traffic into a tunnel, a variation of a flaw that was previously flagged in 2020 (CVE-2020-10136).
They have been assigned the following CVE identifiers for the protocols in question –
- CVE-2024-7595 (GRE and GRE6)
- CVE-2024-7596 (Generic UDP Encapsulation)
- CVE-2025-23018 (IPv4-in-IPv6 and IPv6-in-IPv6)
- CVE-2025-23019 (IPv6-in-IPv4)
“An attacker simply needs to send a packet encapsulated using one of the affected protocols with two IP headers,” Top10VPN’s Simon Migliano explained.
“The outer header contains the attacker’s source IP with the vulnerable host’s IP as the destination. The inner header’s source IP is that of the vulnerable host IP rather than the attacker. The destination IP is that of the target of the anonymous attack.”
Thus when the vulnerable host receives the malicious packet, it automatically strips the outer IP address header and forwards the inner packet to its destination. Given that the source IP address on the inner packet is that of the vulnerable but trusted host, it’s able to get past network filters.
As defenses, it’s recommended to use IPSec or WireGuard to provide authentication and encryption, and only accept tunneling packets from trusted sources. At the network level, it’s also advised to implement traffic filtering on routers and middleboxes, carry out Deep packet inspection (DPI), and block all unencrypted tunneling packets.
“The impact on victims of these DoS attacks can include network congestion, service disruption as resources are consumed by the traffic overload, and crashing of overloaded network devices,” Migliano said. “It also opens up opportunities for further exploitation, such as man-in-the-middle attacks and data interception.”
