Security and VPN researchers Simon Migliano and Mathy Vanhoef have published a new report today that warns “over 4 million internet hosts“, including VPN servers and private home broadband routers, were found to be vulnerable to being hijacked to perform anonymous attacks and provide access to their private networks – thanks to “new vulnerabilities in multiple tunneling protocols“.
The vulnerabilities (CVE-2024-7595, CVE-2025-23018/23019 and CVE-2024-7596), which relates to how internet hosts may accept tunnelling packets without verifying the sender’s identity, are said to impact various tunnelling protocols (an essential backbone to the internet), such as IPIP/IP6IP6, GRE/GRE6, 4in6 and 6in4.
Scans suggest that as many as 4.26 million hosts could have been affected, including VPN servers, ISP home routers, core internet routers, mobile network gateways and nodes, and even CDN nodes (incl. Meta and Tencent). In addition, over 11,000 Autonomous Systems (AS) are also on the list – the most affected were Softbank, Eircom, Telmex, and China Mobile (“almost 40% of vulnerable AS fail to filter spoofing hosts“).
Advertisement
The full report on Top10VPN notes that affected hosts accept unauthenticated tunnelling traffic from any source, which “means they can be abused as one-way proxies to perform a range of anonymous attacks” and may potentially even be abused to “gain access to victims’ private networks“.
Interestingly, over 17% of all vulnerable hosts (726,194) were said to have stemmed from a “misconfiguration” in French ISP Free’s home routers, which meant that routers with hostname *.fbxo.proxad.net accepted unauthenticated plaintext 6in4 tunneling packets traffic from any source.
“This flaw allows attackers to abuse Free customers’ vulnerable home routers to spoof IPv6 source addresses and to perform DoS attacks,” as well as to potentially gain access to the customer’s private home network (this was not tested for ethical reasons), said Simon Migliano. The ISP has since secured the affected routers.
Attack Details
The lack of built-in authentication makes it trivial to inject traffic into the vulnerable protocols’ tunnels.
An attacker simply needs to send a packet encapsulated using one of the affected protocols with two IP headers.
The outer header contains the attacker’s source IP with the vulnerable host’s IP as the destination.
The inner header’s source IP is that of the vulnerable host IP rather than the attacker. The destination IP is that of the target of the anonymous attack.
When the vulnerable host receives this malicious packet, it automatically strips the outer IP header and forwards the inner packet to its destination.
As the source IP on this inner packet is that of the vulnerable but trusted host, it slips past any network filters.
This transmission of spoofed traffic renders the vulnerable host a one-way proxy.
If the vulnerable host is able to spoof IPs due to poor filtering on the part of its AS, then this allows the attacker to use any IP address as the source IP of the inner packet.
This prevents a backtrace to identify the source of an attack and secure it, which means that a spoofing-capable vulnerable host can potentially be abused indefinitely.
Prof. Vanhoef and Beitis discovered that it was possible to abuse a vulnerable host in new ways, outlined below.
Spoofing-capable hosts can also be abused to perform traditional attacks, such as DNS spoofing, traditional amplification DoS attacks, off-path TCP hijacking, SYN floods, certain WiFi attacks and so on.
The report states that only accepting tunneling packets from trusted sources would, in theory, prevent attacks, although spoofing such a source would still sidestep this defense. “The only foolproof defense is to use a more secure set of protocols to provide authentication and encryption, i.e. IPsec or WireGuard,” said Simon. As usual, the vulnerabilities identified in this report have already been reported to the appropriate organisations and patched prior to publication.
Advertisement
Advertisement
I would just like to point out that I said this on this forum a while ago about free VPN’s being used in tunnelling attacks by hackers. I was ridiculed and even a so called PhD qualified professional said i was talking nonsense. What an idiot.
If you really want to VPN your whole network properly, buy yourself a VPS cloud server for £2/month. Configure it with WireGuard, create a WireGuard client on your home router (most newer types support it now) and bingo, all done. Yes, some geek knowledge is required, but this gives you a ‘commercial grade’ solution for your whole network, for trivial money and no further subscriptions needed!
Any links to tutorials for something like this would be useful to the less geek knowledgy people who may frequent this site (such as myself)
@NotAGeek – there are lots of tutorials out there. Here’s one example: https://monovm.com/blog/wireGuard-vpn-on-vps/
Admittedly, if you’re not confident on Linux systems and generally au fait with networking, it’s not an easy thing to do first time!
I was told I was bad and that I “have something to hide” for advocating everyone gets a paid VPN service
If something is free then you are the product
In the UK, where the V-For Vendetta-style Labour Party throws people in prison for multiple years for making a single Twitter post, everyone needs a VPN these days. Are just free VPNs at risk from this? What about reputable ones like Windscribe?
Don’t be silly. Labour have changed no laws. The law is enforced by the police, CPS and courts.
Keir Starmer held a cobra meeting when he directed the police, courts and everyone else to go after social media commentators. He left the meeting saying to the media he will lock up people for social media posts. That is what I am reporting on in my answer. He hasn’t got the nickname two tier keir for nothing you know. He released child killers and child rapists from prison and replaced them with grannies who made a single post on social media. That is why we all need VPNs
None of that is really true though, is it?
If you believe you need a VPN because it’s the only way you can use the Internet in a way that breaks the law without being accountable for your actions, perhaps consider counselling?
I’m a little confused by these comments discussing free vs paid VPNs because the issue seems to be more to do with the protocols.
Are people getting confused with Free being the name of the French ISP?
I am confused as the comments are all suggesting every free VPN is affected by this issue. I therefore asked are there any paid for VPNs affected too.
I sounds like it doesn’t whether they’re paid or not, just whether they’re using the vulnerable protocols.
Correction:
I meant to say it sounds like it doesn’t matter whether they’re paid or not.
“new vulnerabilities in multiple tunneling protocols”
This is not the right way of looking at it. The protocols are not vulnerable. In general protocols, do not offer any authentication, authorization or encryption. They do what they need to do and no more. Security is handled by other protocols designed for that purpose through which the lower level protocols are gated.
The problem here is that server administrators making use of tunnelling protocols have exposed them to the internet without protecting them with the proper security protocols. It’s a mistake as old as the internet.