4M+ Internet-Exposed Systems at Risk From Tunneling Protocol Vulnerabilities

Researchers have uncovered critical security vulnerabilities affecting millions of computer servers and routers worldwide, stemming from the insecure implementation of fundamental internet tunneling protocols.

The flaws could allow attackers to bypass security controls, spoof their identity, access private networks, and launch powerful denial-of-service attacks.

The discovery was made by security researchers Mathy Vanhoef and Angelos Beitis from the DistriNet-KU Leuven research group in Belgium.

Their investigation revealed that over 4.2 million internet hosts, including core internet routers, VPN servers, and even residential routers, are improperly configured to accept unauthenticated traffic over common tunneling protocols like IPIP, GRE, 4in6, and 6in4.

These protocols are essential for modern network infrastructure, but do not natively include authentication, a weakness that can be exploited if not properly secured.

This widespread vulnerability is considered a broader manifestation of a previously identified issue, CVE-2020-10136. The core problem is that these vulnerable systems can be tricked into forwarding traffic from any source, effectively turning them into one-way proxies that help attackers hide their true location.

Significant Impact and New Attack Methods

The consequences of these vulnerabilities are severe. Attackers can leverage them to spoof source IP addresses, making it difficult to trace malicious activity. They may also gain unauthorized entry into an organization’s internal network or use the compromised system to launch attacks on other targets.

The research also brought to light three new types of attacks that exploit these weaknesses:

• Tunneled-Temporal Lensing (TuTL): A Denial-of-Service (DoS) attack that concentrates traffic in time, achieving a traffic amplification factor of at least 16.

• The Ping-Pong Attack: A more potent DoS attack where packets are looped between two vulnerable systems, resulting in an amplification factor of 75-fold or more.

• Economic Denial of Sustainability (EDoS): An attack that drains the outgoing bandwidth of a vulnerable system, which can lead to significant financial costs for organizations using third-party cloud services.

A global scan for vulnerable hosts found significant exposures in China, the United States, France, Japan, and Brazil. Major companies, including Softbank, China Mobile, and others, were found to have vulnerable infrastructure.

In France, thousands of home routers from a single internet provider were affected. The researchers have notified all involved parties so the systems can be secured.

Several new CVE identifiers have been assigned to track these vulnerabilities across different protocols:

• CVE-2024-7595: Affects GRE and GRE6 protocols.
• CVE-2024-7596: Pertains to the expired Generic UDP Encapsulation (GUE) draft.
• CVE-2025-23018: Covers IPv4-in-IPv6 and IPv6-in-IPv6 protocols.
• CVE-2025-23019: Relates to the IPv6-in-IPv4 protocol.

Experts recommend that organizations review their network configurations to prevent these attacks. The primary defense is to configure systems to only accept tunneled packets from trusted, whitelisted IP addresses.

For more robust security, network administrators are urged to implement protocols like IPsec, which provides the necessary authentication and encryption that are missing by default.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now