Full Report
New research has uncovered security vulnerabilities in multiple tunneling protocols that could allow attackers to perform a wide range of attacks. "Internet hosts that accept tunneling packets without verifying the sender's identity can be hijacked to perform anonymous attacks and provide access to their networks," Top10VPN said in a study, as part of a collaboration with KU Leuven professor
Analysis Summary
# Vulnerability: Unauthenticated Tunneling Protocol Abuse Leading to Proxying and DoS
## CVE Details
- CVE ID: CVE-2024-7595, CVE-2024-7596, CVE-2025-23018, CVE-2025-23019 (Specific assignment depends on the protocol variant)
- CVSS Score: Not explicitly provided in the text, but the impact suggests a high score (Medium to High severity outcome).
- CWE: Not explicitly provided, but relates to improper input validation/lack of authentication in tunneling protocols.
## Affected Systems
- Products: VPN servers, ISP home routers, core internet routers, mobile network gateways, and Content Delivery Network (CDN) nodes that implement tunneling protocols without adequate security.
- Versions: Undisclosed, but affects implementations of GRE/GRE6, Generic UDP Encapsulation, IPv4-in-IPv6 (4in6), and IPv6-in-IPv4 (6in4) that do not properly authenticate or encrypt traffic.
- Configurations: Systems accepting tunneling packets from external senders without verifying the sender's identity.
## Vulnerability Description
The vulnerability stems from the fact that several tunneling protocols (specifically **IP6IP6, GRE6, 4in6, and 6in4**) facilitate data transfer between disconnected networks but inherently lack authentication and encryption mechanisms, such as **IPsec**. This absence of security guardrails allows an attacker to inject malicious traffic into a tunnel, typically by encapsulating a packet with two IP headers, thereby hijacking the susceptible system.
## Exploitation
- Status: Not explicitly stated as exploited in the wild in this text, but the potential exists.
- Complexity: Low (An attacker "simply needs to send a packet encapsulated using one of the affected protocols with two IP headers").
- Attack Vector: Network (Remote). Capabilities include creating one-way proxies, spoofing source IPv4/6 addresses, and initiating Denial-of-Service (DDoS) attacks.
## Impact
- Confidentiality: Potential exposure through unauthorized proxying or network access.
- Integrity: Potential integrity compromise through traffic spoofing.
- Availability: Potential loss of availability via Denial-of-Service (DoS) attacks.
## Remediation
### Patches
- Specific vendor patches are not detailed in this summary. Users must consult vendor advisories related to the specific devices (VPNs, Routers) running the affected tunneling protocols.
### Workarounds
- Implement security controls to ensure that tunneling protocols (GRE/GRE6, 4in6, 6in6) are only used when secured by appropriate protocols, such as **IPsec**.
- Verify that tunneling endpoints are properly authenticated.
## Detection
- Indicators of Compromise (IoCs): Observation of encapsulated packets with double IP headers targeting vulnerable endpoints or unexpected proxy traffic originating from the host.
- Detection methods and tools: Network monitoring tools capable of deep packet inspection (DPI) to identify traffic utilizing the specified tunneling protocols (GRE, 4in6, 6in4) without accompanying encryption or authentication markers (like IPsec).
## References
- Vendor advisories: CERT/CC Advisory (ID 199397).
- Relevant links:
- top10vpn dot com/research/tunneling-protocol-vulnerability/
- kb dot cert dot org/vuls/id/199397
- Previous related flaw: CVE-2020-10136 (Tenable blog for context).