Researchers at the DistriNet-KU Leuven research group have uncovered a widespread vulnerability affecting millions of Internet systems that accept unauthenticated traffic through various tunneling protocols.
The vulnerability, designated as VU#199397, represents a significant expansion of the previously identified CVE-2020-10136 and exposes critical infrastructure to multiple attack vectors.
Vulnerability Discovery and Scale
The research team, led by Mathy Vanhoef and Angelos Beitis, identified that systems implementing IPIP, GRE, 4in6, and 6in4 tunneling protocols lack proper authentication mechanisms for incoming traffic.
This vulnerability has been assigned multiple CVE identifiers, including CVE-2024-7595 for GRE and GRE6 protocols (RFC2784), CVE-2024-7596 for Generic UDP Encapsulation (GUE), CVE-2025-23018 for IPv4-in-IPv6 and IPv6-in-IPv6 protocols (RFC2473), and CVE-2025-23019 for IPv6-in-IPv4 protocol (RFC4213).
The fundamental issue stems from these protocols’ failure to validate or verify the source of network packets, creating what researchers classify as CWE-290, Authentication Bypass by Spoofing.
While IPsec can protect against these attacks, poor implementation practices have left millions of systems vulnerable to exploitation.
Attack Vectors and Impact
The vulnerability enables several sophisticated attack methods that pose significant risks to the network infrastructure.
Adversaries can exploit these flaws to create one-way proxies and spoof source IPv4/6 addresses, potentially gaining unauthorized access to private networks.
The research identified two distinct Denial-of-Service (DoS) attack vectors with substantial amplification capabilities.
The first attack, termed “Tunneled-Temporal Lensing,” concentrates traffic in time, while the second creates packet loops between vulnerable systems, achieving amplification factors of at least 13-fold and 75-fold, respectively.
Additionally, researchers discovered an Economic Denial of Sustainability (EDoS) attack that drains outgoing bandwidth from vulnerable systems, significantly increasing operational costs for organizations using third-party cloud service providers.
Mitigation and Vendor Response
The CERT Coordination Center has contacted affected vendors to address the vulnerability.
Current vendor status shows that major network equipment manufacturers, including Cisco, Honeywell, Juniper Networks, and Marvell Semiconductor, are affected by the vulnerability.
Conversely, vendors such as Arista Networks, Aruba Networks, Deutsche Telekom, and D-Link Systems have been classified as not affected.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The vulnerability, designated as VU#199397, represents a significant expansion of the previously identified CVE-2020-10136 and exposes critical infrastructure to multiple attack vectors.){kind=link}