Home
 » ISP News » 
Sponsored Links

Millions of VPN Servers and Routers Exposed to New Tunnelling Protocol Vulnerabilities

Wednesday, Jan 15th, 2025 (5:18 pm) - Score 10,400
security of broadband isp routers

Security and VPN researchers Simon Migliano and Mathy Vanhoef have published a new report today that warns “over 4 million internet hosts“, including VPN servers and private home broadband routers, were found to be vulnerable to being hijacked to perform anonymous attacks and provide access to their private networks – thanks to “new vulnerabilities in multiple tunneling protocols“.

The vulnerabilities (CVE-2024-7595, CVE-2025-23018/23019 and CVE-2024-7596), which relates to how internet hosts may accept tunnelling packets without verifying the sender’s identity, are said to impact various tunnelling protocols (an essential backbone to the internet), such as IPIP/IP6IP6, GRE/GRE6, 4in6 and 6in4.

NOTE: At the time of writing the most affected countries appear to be China, France, Japan, the U.S. and Brazil. But some hosts in the UK were also vulnerable.

Scans suggest that as many as 4.26 million hosts could have been affected, including VPN servers, ISP home routers, core internet routers, mobile network gateways and nodes, and even CDN nodes (incl. Meta and Tencent). In addition, over 11,000 Autonomous Systems (AS) are also on the list – the most affected were Softbank, Eircom, Telmex, and China Mobile (“almost 40% of vulnerable AS fail to filter spoofing hosts“).

Advertisement

The full report on Top10VPN notes that affected hosts accept unauthenticated tunnelling traffic from any source, which “means they can be abused as one-way proxies to perform a range of anonymous attacks” and may potentially even be abused to “gain access to victims’ private networks“.

Interestingly, over 17% of all vulnerable hosts (726,194) were said to have stemmed from a “misconfiguration” in French ISP Free’s home routers, which meant that routers with hostname *.fbxo.proxad.net accepted unauthenticated plaintext 6in4 tunneling packets traffic from any source.

This flaw allows attackers to abuse Free customers’ vulnerable home routers to spoof IPv6 source addresses and to perform DoS attacks,” as well as to potentially gain access to the customer’s private home network (this was not tested for ethical reasons), said Simon Migliano. The ISP has since secured the affected routers.

Attack Details

The lack of built-in authentication makes it trivial to inject traffic into the vulnerable protocols’ tunnels.

An attacker simply needs to send a packet encapsulated using one of the affected protocols with two IP headers.

The outer header contains the attacker’s source IP with the vulnerable host’s IP as the destination.

The inner header’s source IP is that of the vulnerable host IP rather than the attacker. The destination IP is that of the target of the anonymous attack.

When the vulnerable host receives this malicious packet, it automatically strips the outer IP header and forwards the inner packet to its destination.

As the source IP on this inner packet is that of the vulnerable but trusted host, it slips past any network filters.

This transmission of spoofed traffic renders the vulnerable host a one-way proxy.

If the vulnerable host is able to spoof IPs due to poor filtering on the part of its AS, then this allows the attacker to use any IP address as the source IP of the inner packet.

This prevents a backtrace to identify the source of an attack and secure it, which means that a spoofing-capable vulnerable host can potentially be abused indefinitely.

Prof. Vanhoef and Beitis discovered that it was possible to abuse a vulnerable host in new ways, outlined below.

Spoofing-capable hosts can also be abused to perform traditional attacks, such as DNS spoofing, traditional amplification DoS attacks, off-path TCP hijacking, SYN floods, certain WiFi attacks and so on.

The report states that only accepting tunneling packets from trusted sources would, in theory, prevent attacks, although spoofing such a source would still sidestep this defense. “The only foolproof defense is to use a more secure set of protocols to provide authentication and encryption, i.e. IPsec or WireGuard,” said Simon. As usual, the vulnerabilities identified in this report have already been reported to the appropriate organisations and patched prior to publication.

Advertisement

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and .
Search ISP News
Search ISP Listings
Search ISP Reviews
Comments
14 Responses

Advertisement

  1. Avatar photo K says:

    I would just like to point out that I said this on this forum a while ago about free VPN’s being used in tunnelling attacks by hackers. I was ridiculed and even a so called PhD qualified professional said i was talking nonsense. What an idiot.

  2. Avatar photo A Stevens says:

    If you really want to VPN your whole network properly, buy yourself a VPS cloud server for £2/month. Configure it with WireGuard, create a WireGuard client on your home router (most newer types support it now) and bingo, all done. Yes, some geek knowledge is required, but this gives you a ‘commercial grade’ solution for your whole network, for trivial money and no further subscriptions needed!

    1. Avatar photo NotAGeek says:

      Any links to tutorials for something like this would be useful to the less geek knowledgy people who may frequent this site (such as myself)

    2. Avatar photo A Stevens says:

      @NotAGeek – there are lots of tutorials out there. Here’s one example: https://monovm.com/blog/wireGuard-vpn-on-vps/
      Admittedly, if you’re not confident on Linux systems and generally au fait with networking, it’s not an easy thing to do first time!

  3. Avatar photo John says:

    I was told I was bad and that I “have something to hide” for advocating everyone gets a paid VPN service

    If something is free then you are the product

  4. Avatar photo Anthony says:

    In the UK, where the V-For Vendetta-style Labour Party throws people in prison for multiple years for making a single Twitter post, everyone needs a VPN these days. Are just free VPNs at risk from this? What about reputable ones like Windscribe?

    1. Avatar photo 125us says:

      Don’t be silly. Labour have changed no laws. The law is enforced by the police, CPS and courts.

    2. Avatar photo Anthony says:

      Keir Starmer held a cobra meeting when he directed the police, courts and everyone else to go after social media commentators. He left the meeting saying to the media he will lock up people for social media posts. That is what I am reporting on in my answer. He hasn’t got the nickname two tier keir for nothing you know. He released child killers and child rapists from prison and replaced them with grannies who made a single post on social media. That is why we all need VPNs

    3. Avatar photo 125us says:

      None of that is really true though, is it?

      If you believe you need a VPN because it’s the only way you can use the Internet in a way that breaks the law without being accountable for your actions, perhaps consider counselling?

  5. Avatar photo Please correct me if I'm wrong says:

    I’m a little confused by these comments discussing free vs paid VPNs because the issue seems to be more to do with the protocols.

    Are people getting confused with Free being the name of the French ISP?

    1. Avatar photo Anthony says:

      I am confused as the comments are all suggesting every free VPN is affected by this issue. I therefore asked are there any paid for VPNs affected too.

    2. Avatar photo Please correct me if I'm wrong says says:

      I sounds like it doesn’t whether they’re paid or not, just whether they’re using the vulnerable protocols.

    3. Avatar photo Please correct me if I'm wrong says says:

      Correction:

      I meant to say it sounds like it doesn’t matter whether they’re paid or not.

  6. Avatar photo john says:

    “new vulnerabilities in multiple tunneling protocols”

    This is not the right way of looking at it. The protocols are not vulnerable. In general protocols, do not offer any authentication, authorization or encryption. They do what they need to do and no more. Security is handled by other protocols designed for that purpose through which the lower level protocols are gated.

    The problem here is that server administrators making use of tunnelling protocols have exposed them to the internet without protecting them with the proper security protocols. It’s a mistake as old as the internet.

Leave a Reply

Your email address will not be published. Required fields are marked *

NOTE: Your comment may not appear instantly (it may take several hours) due to static caching and moderation checks by the anti-spam system. Please be patient. We will reject comments that spam, troll, post via known fake IP/proxy servers or fall foul of our Online Safety and Content Policy.
Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: First 3 Months Free
Vodafone UK ISP Logo
Vodafone £23.00
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
NOW UK ISP Logo
NOW £25.00
100Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £25.99
132Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
BeFibre UK ISP Logo
BeFibre £19.00
150Mbps
Gift: None
Gigaclear UK ISP Logo
Gigaclear £19.00
300Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: First 3 Months Free
toob UK ISP Logo
toob £22.00
150Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £23.00
150Mbps
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (6148)
  2. BT (3691)
  3. Politics (2773)
  4. Business (2480)
  5. Openreach (2446)
  6. Building Digital UK (2362)
  7. Mobile Broadband (2197)
  8. FTTC (2094)
  9. Statistics (1949)
  10. 4G (1854)
  11. Virgin Media (1811)
  12. Ofcom Regulation (1613)
  13. Fibre Optic (1489)
  14. Wireless Internet (1477)
  15. 5G (1451)
Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact
Mastodon