Security and VPN researchers Simon Migliano and Mathy Vanhoef have published a new report today that warns “over 4 million internet hosts“, including VPN servers and private home broadband routers, were found to be vulnerable to being hijacked to perform anonymous attacks and provide access to their private networks – thanks to “new vulnerabilities in multiple tunneling protocols“.
The vulnerabilities (CVE-2024-7595, CVE-2025-23018/23019 and CVE-2024-7596), which relates to how internet hosts may accept tunnelling packets without verifying the sender’s identity, are said to impact various tunnelling protocols (an essential backbone to the internet), such as IPIP/IP6IP6, GRE/GRE6, 4in6 and 6in4.
Scans suggest that as many as 4.26 million hosts could have been affected, including VPN servers, ISP home routers, core internet routers, mobile network gateways and nodes, and even CDN nodes (incl. Meta and Tencent). In addition, over 11,000 Autonomous Systems (AS) are also on the list – the most affected were Softbank, Eircom, Telmex, and China Mobile (“almost 40% of vulnerable AS fail to filter spoofing hosts“).
The full report on Top10VPN notes that affected hosts accept unauthenticated tunnelling traffic from any source, which “means they can be abused as one-way proxies to perform a range of anonymous attacks” and may potentially even be abused to “gain access to victims’ private networks“.
Interestingly, over 17% of all vulnerable hosts (726,194) were said to have stemmed from a “misconfiguration” in French ISP Free’s home routers, which meant that routers with hostname *.fbxo.proxad.net accepted unauthenticated plaintext 6in4 tunneling packets traffic from any source.
“This flaw allows attackers to abuse Free customers’ vulnerable home routers to spoof IPv6 source addresses and to perform DoS attacks,” as well as to potentially gain access to the customer’s private home network (this was not tested for ethical reasons), said Simon Migliano. The ISP has since secured the affected routers.
Attack Details
The lack of built-in authentication makes it trivial to inject traffic into the vulnerable protocols’ tunnels.
An attacker simply needs to send a packet encapsulated using one of the affected protocols with two IP headers.
The outer header contains the attacker’s source IP with the vulnerable host’s IP as the destination.
The inner header’s source IP is that of the vulnerable host IP rather than the attacker. The destination IP is that of the target of the anonymous attack.
When the vulnerable host receives this malicious packet, it automatically strips the outer IP header and forwards the inner packet to its destination.
As the source IP on this inner packet is that of the vulnerable but trusted host, it slips past any network filters.
This transmission of spoofed traffic renders the vulnerable host a one-way proxy.
If the vulnerable host is able to spoof IPs due to poor filtering on the part of its AS, then this allows the attacker to use any IP address as the source IP of the inner packet.
This prevents a backtrace to identify the source of an attack and secure it, which means that a spoofing-capable vulnerable host can potentially be abused indefinitely.
Prof. Vanhoef and Beitis discovered that it was possible to abuse a vulnerable host in new ways, outlined below.
Spoofing-capable hosts can also be abused to perform traditional attacks, such as DNS spoofing, traditional amplification DoS attacks, off-path TCP hijacking, SYN floods, certain WiFi attacks and so on.
The report states that only accepting tunneling packets from trusted sources would, in theory, prevent attacks, although spoofing such a source would still sidestep this defense. “The only foolproof defense is to use a more secure set of protocols to provide authentication and encryption, i.e. IPsec or WireGuard,” said Simon. As usual, the vulnerabilities identified in this report have already been reported to the appropriate organisations and patched prior to publication.