Serious Vulnerabilities Found in VPN Services: Over 4 Million Affected
VPN services have long been lauded for their ability to protect privacy, unblock geo-restricted content, and prevent overpricing based on location. However, a recent investigation by Top10VPN, in collaboration with security researcher Mathy Vanhoef, has exposed troubling security flaws within the technology. The discovery, which was shared ahead of the USENIX 2025 conference, reveals that over 4 million systems worldwide—including VPN servers, home routers, mobile servers, and CDN nodes from companies like Meta and Tencent—are vulnerable to attacks.
The issue stems from certain tunneling protocols such as IP6IP6, GRE6, 4in6, and 6in4, which are designed to secure data transmission. These protocols, however, have exploitable weaknesses that attackers can exploit by sending specially crafted data packets. This allows hackers to bypass security measures and gain unauthorized access to private networks, enabling attacks like denial-of-service (DoS) or even data theft.
The researchers suggest that VPN services use more robust security methods like IPsec or WireGuard, which provide stronger encryption and ensure that only the server can decrypt the data. Affected VPN services are mainly from the US, Brazil, China, France, and Japan.
This discovery highlights the need for caution when using VPNs and serves as a reminder that no service is entirely immune to vulnerabilities.