Millions of devices, including home routers, VPN servers, and CDNs are vulnerable to exploitation due to critical flaws in common tunnelling protocols like IPIP, GRE, and 6in4/4in6. Learn how these vulnerabilities can be exploited for malicious attacks and how to protect your devices.
New vulnerabilities in multiple tunnelling protocols (IPIP/IP6IP6, GRE/GRE6, 4in6, 6in4) have been discovered by Top10VPN in collaboration with security researcher Mathy Vanhoef. These vulnerabilities allow attackers to hijack affected internet hosts to perform anonymous attacks and gain unauthorized network access.
A large-scale internet scan identified 4.2 million open tunnelling hosts. This includes critical infrastructure such as VPN servers, home routers, core internet routers, mobile network gateways, and even content delivery networks (CDNs) operated by major players like Facebook and Tencent. Vulnerable hosts can enable a range of attacks, including new DoS techniques and DNS spoofing. The identified vulnerabilities include CVE-2024-7595, CVE-2025-23018/23019, and CVE-2024-7596.
The most affected countries are China, France, Japan, the U.S., and Brazil. Over 11,000 autonomous systems (AS) have been impacted, with Softbank, Eircom, Telmex, and China Mobile being the most affected.
The vulnerabilities stem from many internet hosts accepting tunneling traffic without verifying the sender’s identity. This lack of authentication allows attackers to exploit these hosts as proxies for malicious activities.
“These hosts accept unauthenticated tunneling traffic from any source. This means they can be abused as one-way proxies to perform a range of anonymous attacks. Vulnerable hosts can also potentially be abused to gain access to victims’ private networks,” Top10VPN’s researcher and report author Simon Migliano noted.
Specifically, attackers can manipulate these hosts to send traffic on their behalf, concealing their true origin and making it difficult to trace attacks back to them. In some cases, attackers might be able to exploit these vulnerabilities to gain access to private networks connected to the hijacked host.
Tunneling protocols, such as IPIP, GRE, and 6in4/4in6, play a crucial role in modern networking, enabling seamless communication across diverse networks. However, many devices utilizing these protocols lack proper authentication and encryption, leaving them vulnerable to exploitation.
According to Top10VPN’s report, at least 1,365 vulnerable VPN servers were identified, including consumer VPNs, routers with remote access features, and business VPNs. AoxVPN, a service with over a million users, was among those with vulnerabilities.
Additionally, around 1,200 vulnerable dynamic DNS routers, primarily Synology models offering remote access via VPN Plus Server, were detected. And, 171 company VPN servers were exposed, mainly using the GRE protocol, belonging to businesses and organizations in 33 countries, with the United States, China, and Hong Kong being the most affected. Over 17% of vulnerable devices were Free ISP’s home routers in France, which accepted unauthenticated traffic.
Furthermore, researchers discovered novel attack methods, such as “Ping-pong Amplification” and “Tunneled-Temporal Lensing,” which leverage these vulnerabilities to launch powerful Denial-of-Service (DoS) attacks. These vulnerabilities can also amplify the impact of existing attacks, such as DNS spoofing, traditional amplification DoS attacks, off-path TCP hijacking, SYN floods, and certain WiFi attacks.
The research highlights the need for enhanced security measures in these protocols to mitigate risks and ensure the reliability of our interconnected world. Proactive measures, including regular security audits, software updates, and increased awareness among system administrators and end-users, are also important for identifying and patching vulnerable devices.
RELATED TOPICS
- Millions of websites using CDNs at risk of CPDoS attack
- DNS Tunneling Used for Stealthy Scans and Email Tracking
- GoogleUserContent CDN Hosting Images Infected with Malware
- Fake GlobalProtect VPN Downloads Spread WikiLoader Malware
- Millions of Email Servers Exposed Due to Missing TLS Encryption