Security vulnerabilities in various tunneling protocols are putting millions of network hosts at risk. This recent discovery, made by a team of researchers in collaboration with KU Leuven professor Mathy Vanhoef, has revealed that over 4.2 million hosts, including VPN servers, ISP home routers, core internet routers, mobile network gateways, and CDN nodes, could be exposed to potentially devastating attacks. The vulnerability reports highlight that these issues are particularly prevalent in regions such as China, France, Japan, the U.S., and Brazil. The affected tunneling protocols in question are IP6IP6, GRE6, 4in6, and 6in4, which lack adequate authentication and encryption measures unless supplemented with additional security protocols like Internet Protocol Security (IPsec).
The Core Issue
The primary problem with the affected tunneling protocols is their inherent lack of built-in security measures. Without additional layers of protection such as IPsec, these protocols become susceptible to a variety of attack vectors. This security void provides an opportunity for attackers to exploit these hosts, enabling various malicious activities. These can range from creating one-way proxies to spoofing source IP addresses, accessing private organizational networks, and conducting denial-of-service (DoS) attacks. CDN nodes, mobile network gateways, core internet routers, VPN servers, and ISP home routers are vulnerable, raising significant red flags for both individual users and large enterprises.
The magnitude of the issue becomes clear when we consider how integral these hosts are to the modern internet infrastructure. For instance, VPN servers are commonly used by individuals and organizations to secure their communications. ISP home routers connect millions of homes to the internet, while core internet routers and mobile network gateways form the backbone of global networks. Similarly, CDN nodes are vital for delivering content quickly to users worldwide. Therefore, any vulnerability in these systems can have far-reaching and potentially catastrophic consequences.
The Vulnerabilities and Their Exploitation
These security flaws have been formally assigned specific Common Vulnerabilities and Exposures (CVE) identifiers: CVE-2024-7595 for GRE and GRE6, CVE-2024-7596 for Generic UDP Encapsulation, CVE-2025-23018 for IPv4-in-IPv6 and IPv6-in-IPv6, and CVE-2025-23019 for IPv6-in-IPv4. The identified vulnerabilities allow attackers to send packets with encapsulated IP headers, where the outer header carries the attacker’s IP address while the inner header deceptively shows the vulnerable host’s IP address. This manipulation tricks network filters into believing that the packet originates from a trusted source, enabling it to bypass existing security measures.
Once past these filters, attackers can launch a range of harmful activities. For example, they can create one-way proxies to relay data from other compromised hosts, effectively masking their operations. They can also spoof IP addresses, making it appear as though traffic is coming from a different source. This can be particularly damaging in coordinated DoS attacks, where multiple hosts are utilized to overwhelm a target system. Moreover, by gaining access to private organizational networks, attackers can intercept sensitive data, leading to data breaches and significant financial loss.
Mitigating Security Risks
To mitigate these significant security risks, several measures can be recommended. One of the most effective solutions involves the use of IPsec or WireGuard, robust protocols ensuring authentication and encryption. By employing these additional security layers, the integrity of the tunneling protocols can be significantly enhanced. It is also advisable for network administrators to accept tunneling packets only from trusted sources, ensuring that incoming data is verified and legitimate. Implementing traffic filtering and Deep Packet Inspection (DPI) on routers and middleboxes can further fortify defenses against these vulnerabilities.
Additionally, blocking all unencrypted tunneling packets can serve as a formidable deterrent to potential attackers. Failure to address these vulnerabilities could lead to severe consequences like network congestion, service disruption, and further exploitation of compromised systems. Attackers could also execute man-in-the-middle attacks or intercept data, causing irreparable damage to organizations and individual users alike. Concerted efforts and diligent practices in securing these networks are paramount to safeguarding against these critical flaws.
The Path Forward
Recent research conducted with KU Leuven professor Mathy Vanhoef has uncovered significant security vulnerabilities within several tunneling protocols, endangering millions of network hosts. The study indicates that over 4.2 million hosts, which include VPN servers, ISP home routers, core internet routers, mobile network gateways, and CDN nodes, are at risk of severe attacks. These vulnerabilities are strikingly prominent in regions such as China, France, Japan, the U.S., and Brazil. The compromised tunneling protocols—IP6IP6, GRE6, 4in6, and 6in4—suffer from a critical lack of adequate authentication and encryption. Without the additional support of security protocols like Internet Protocol Security (IPsec), these systems remain highly vulnerable. Experts stress the urgency of addressing these flaws to prevent potential breaches and ensure the safety and integrity of global network communications. The findings highlight the continuous need for rigorous security measures in the ever-evolving landscape of internet technology.