CVE-2024-3661

DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

• CWE-306
• CWE-501
• CWE-306

• https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/Exploit, Press/Media Coverage
• https://bst.cisco.com/quickview/bug/CSCwk05814Third Party Advisory, Vendor Advisory
• https://datatracker.ietf.org/doc/html/rfc2131#section-7Related
• https://datatracker.ietf.org/doc/html/rfc3442#section-7Related
• https://fortiguard.fortinet.com/psirt/FG-IR-24-170Vendor Advisory
• https://issuetracker.google.com/issues/263721377Issue Tracking
• https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/Exploit, Press/Media Coverage
• https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-trafficIssue Tracking
• https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvisionThird Party Advisory
• https://my.f5.com/manage/s/article/K000139553Vendor Advisory
• https://news.ycombinator.com/item?id=40279632Issue Tracking
• https://news.ycombinator.com/item?id=40284111Issue Tracking
• https://security.paloaltonetworks.com/CVE-2024-3661Vendor Advisory
• https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661Vendor Advisory
• https://tunnelvisionbug.com/Exploit, Third Party Advisory
• https://www.agwa.name/blog/post/hardening_openvpn_for_def_conRelated
• https://www.leviathansecurity.com/research/tunnelvisionThird Party Advisory
• https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/Exploit, Press/Media Coverage
• https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009Mitigation, Third Party Advisory, Vendor Advisory
• https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerabilityExploit, Third Party Advisory, Vendor Advisory
• https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/Exploit, Press/Media Coverage
• https://bst.cisco.com/quickview/bug/CSCwk05814Third Party Advisory, Vendor Advisory
• https://datatracker.ietf.org/doc/html/rfc2131#section-7Related
• https://datatracker.ietf.org/doc/html/rfc3442#section-7Related
• https://fortiguard.fortinet.com/psirt/FG-IR-24-170Vendor Advisory
• https://issuetracker.google.com/issues/263721377Issue Tracking
• https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/Exploit, Press/Media Coverage
• https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-trafficIssue Tracking
• https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvisionThird Party Advisory
• https://my.f5.com/manage/s/article/K000139553Vendor Advisory
• https://news.ycombinator.com/item?id=40279632Issue Tracking
• https://news.ycombinator.com/item?id=40284111Issue Tracking
• https://security.paloaltonetworks.com/CVE-2024-3661Vendor Advisory
• https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661Vendor Advisory
• https://tunnelvisionbug.com/Exploit, Third Party Advisory
• https://www.agwa.name/blog/post/hardening_openvpn_for_def_conRelated
• https://www.leviathansecurity.com/research/tunnelvisionThird Party Advisory
• https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/Exploit, Press/Media Coverage
• https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009Mitigation, Third Party Advisory, Vendor Advisory
• https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerabilityExploit, Third Party Advisory, Vendor Advisory

Published

May 6, 2024

Last Modified

Jun 17, 2026

Status

Analyzed