A new study has revealed that over 4 million internet-connected systems, including VPN servers and home routers, are vulnerable to attacks due to weaknesses in tunneling protocols.
The research was conducted by Mathy Vanhoef, a professor at KU Leuven University in Belgium, and PhD student Angelos Beitis, in collaboration with VPN testing firm Top10VPN. Vanhoef is well known for his Wi-Fi security research, having previously discovered vulnerabilities like KRACK, Dragonblood, and FragAttacks.
Tunneling protocols are crucial for internet communication, allowing data to be transported across networks that might not support certain types of traffic—for example, running IPv6 over an IPv4 network. These protocols work by encapsulating one packet inside another, but the researchers discovered several vulnerabilities affecting protocols like IPIP/IP6IP6, GRE/GRE6, 4in6, and 6in4.
The vulnerabilities stem from misconfigured systems that accept tunneling packets without verifying the sender’s identity. Attackers can exploit this flaw to send specially crafted packets that appear to originate from a victim’s IP address, leading to various attack scenarios such as DoS attacks, DNS spoofing, and unauthorized access to internal networks and IoT devices.
An internet-wide scan by the researchers found 4.26 million vulnerable hosts, including VPN servers, ISP-provided home routers, core internet routers, mobile network nodes, and CDN nodes. Among these, 1.8 million systems are spoofing-capable, making them particularly dangerous. Attackers can use these systems to launch anonymous cyberattacks, with the compromised host being blamed instead of the actual attacker.
The highest concentration of vulnerable hosts was found in China, followed by France. The vulnerabilities have been assigned CVE identifiers CVE-2024-7595, CVE-2025-23018, CVE-2025-23019, and CVE-2024-7596.
The researchers have published technical details in a blog post on Top10VPN and in an academic paper. They have also provided mitigation strategies for individual users, ISPs, and network administrators to help secure affected systems and prevent exploitation.
