Cybersecurity researchers have uncovered severe vulnerabilities in widely-used tunneling protocols, potentially compromising the security of more than 4.26 million devices worldwide. The discovery affects VPN servers, routers, and various network infrastructure components, presenting significant risks to organizational and personal network security.
Tunneling Protocol Flaws Identified by KU Leuven Researchers
Research conducted by KU Leuven’s Professor Mathy Vanhoef and doctoral researcher Angelos Beitis, in collaboration with Top10VPN, has identified critical security flaws in essential tunneling protocols including IPIP/IP6IP6, GRE/GRE6, 4in6, and 6in4. The primary vulnerability stems from inadequate sender authentication in tunnel packets, creating multiple attack vectors that could be exploited by malicious actors.
Technical Impact and Security Implications
The discovered vulnerabilities enable several sophisticated attack scenarios:
- Anonymous network attacks through host compromise
- Unauthorized creation of one-way proxy servers
- Large-scale DDoS attack facilitation
- DNS request spoofing capabilities
- Unauthorized access to internal networks and IoT devices
Global Distribution of Affected Systems
The vulnerability assessment reveals a concerning concentration of affected devices across major technological hubs. Of particular concern is the identification of over 1.8 million vulnerable hosts susceptible to spoofing attacks, with the highest number of affected systems located in China, France, Japan, the United States, and Brazil.
Mitigating IPIP, GRE, and 6in4 Tunnel Vulnerabilities
Security experts recommend implementing a comprehensive defense strategy including:
- Deployment of IPSec or WireGuard protocols for robust authentication and encryption
- Implementation of strict source validation for tunnel packets
- Configuration of comprehensive network-level traffic filtering
- Integration of Deep Packet Inspection (DPI) systems
- Enforcement of encrypted tunnel packet requirements
The vulnerabilities are tracked as CVE-2024-7595, CVE-2024-7596, CVE-2025-23018, and CVE-2025-23019. Network operators running VPN concentrators or routers that terminate IPIP, GRE, or 6in4 tunnels should verify that their firewall rules block tunnel packets arriving on public interfaces from untrusted sources — this is the core authentication gap the research identified.
