Tunneling Protocol Vulnerabilities Threaten 4 Million Hosts

A new study has uncovered vulnerabilities in several tunneling protocols, putting over 4 million systems at risk, including VPN servers and routers. Experts warn that hosts accepting tunneled packets without verifying the sender can be compromised, used for anonymous attacks, and provide unauthorized access to networks.

The research was published by Top10VPN in collaboration with Professor Mathy Vanhoef, a renowned cybersecurity researcher from KU Leuven, and PhD student Angelos Beitis. Vanhoef is well-known for his Wi-Fi security research, having discovered and described high-profile issues such as SSID Confusion, Frag Attacks, Dragonblood, and KRACK.

Details of the Vulnerabilities

This time, the researchers examined tunneling protocols used to transmit data between different networks, allowing the transfer of data types not natively supported (for example, using IPv6 over an IPv4 network) by encapsulating one packet inside another.

Building on previous findings that IPv4 hosts accept unauthenticated IPIP traffic from any source, Vanhoef and Beitis identified several tunneling protocols (including IPIP/IP6IP6, GRE/GRE6, 4in6, and 6in4) that are vulnerable to abuse because they lack authentication and encrypt traffic without proper protection (such as IPsec).

Experts explain that improperly configured systems accept tunneled packets without verifying the sender. This allows attackers to send specially crafted packets to a vulnerable host, containing the victim’s IP address, forcing the host to forward the internal packet to the victim and opening the door for further attacks.

“Attackers only need to send a packet encapsulated using one of the affected protocols with two IP headers. The outer header contains the attacker’s source IP address and the vulnerable host as the destination. The inner header contains the vulnerable host’s IP address, not the attacker’s,” the researchers explain.

Upon receiving such a malicious packet, the vulnerable host automatically removes the outer header and forwards the inner packet to its destination. Since the IP address in the inner packet belongs to a trusted host, it can bypass network filters.

Potential Attack Scenarios

Attackers can use this technique for anonymous attacks, including using hosts as one-way proxies, conducting DoS attacks, DNS spoofing, and gaining access to internal networks and IoT devices.

The researchers scanned the internet and found 4.26 million hosts vulnerable to these issues, including VPN servers, routers (often provided by ISPs), backbone routers, gateways, mobile network nodes, and CDNs. Notably, over 1.8 million of these vulnerable hosts can be used for spoofing.

Most vulnerable hosts were found in China, France, Japan, the United States, and Brazil.

“All vulnerable hosts can be compromised for anonymous attacks, as the outer packet headers containing the attacker’s real IP address are removed. However, these attacks can be traced back to the compromised host, which can then be secured,” the researchers write. “Hosts suitable for spoofing can use any IP address as the source in the inner packet, making not only the attacker anonymous but also making it much harder to detect and secure the compromised host.”

CVE Identifiers and Recommendations

The discovered vulnerabilities have been assigned the following CVE identifiers:

• CVE-2024-7595 (GRE and GRE6)
• CVE-2025-23018 (IPv4-in-IPv6 and IPv6-in-IPv6)
• CVE-2025-23019 (IPv6-in-IPv4)
• CVE-2024-7596 (Generic UDP Encapsulation)

According to the CERT Coordination Center (CERT/CC), “Attackers can exploit these vulnerabilities to create one-way proxies and spoof IPv4/6 source addresses. Vulnerable systems may also expose private organizational networks or be used for DDoS attacks.”

How to Protect Against These Vulnerabilities

• Use IPSec or WireGuard to ensure authentication and encryption.
• Only accept tunneled packets from trusted sources.
• Implement network-level traffic filtering on routers and intermediate nodes.
• Use Deep Packet Inspection (DPI) and block all unencrypted tunneled packets.

More in-depth technical details of the research are available in the scientific paper already published by Vanhoef and Beitis.