Newly discovered flaws in VPN tunneling protocols call into question whether VPN hosts are as secure as expected.
VPN services have many uses and benefits, like making sure you aren’t being overcharged based on your location, protecting your privacy while using the internet, and streaming media that’s located outside your own region (e.g., another country’s Netflix library). And for the most part, VPNs have long been considered safe to use.
But one recent investigation by Top10VPN has raised questions about whether VPNs are truly as secure as they’re touted to be. In collaboration with security researcher Mathy Vanhoef, Top10VPN shared this discovery ahead of its presentation at the USENIX 2025 conference in Seattle.
In short, they discovered serious vulnerabilities that affect over 4 million systems. These systems include VPN servers, home network routers, mobile servers, and CDN nodes, including those belonging to large global companies like Meta and Tencent.
Specifically, it concerns the IP6IP6, GRE6, 4in6, and 6in4 tunneling protocols, which are supposed to secure data transmission. However, this is where attackers can apparently exploit vulnerabilities (relatively easily) to gain access to networks.
The VPN security issue, explained
According to the researchers, many VPN protocols can’t reliably verify that the identity of a sender matches the authorized user profile of the VPN. Attackers can therefore use so-called one-way proxies to gain access over and over, all without being traced.
According to the report, hackers just need to send data packets that implement one of the affected protocols to gain unauthorized access. Then, they can do things like launch denial-of-service (DoS) attacks or infiltrate private networks to steal data.
The only way to prevent this is to use additional security mechanisms, such as IPsec or WireGuard, which provide end-to-end encryption of VPN traffic data. Only the server is then able to read the encrypted data.
Which VPNs are affected?
Of the numerous VPN hosts that were analyzed, those classified as insecure mainly included servers and services from the US, Brazil, China, France, and Japan. In general, however, caution should always be exercised when using VPN services.
When choosing a VPN, always make sure it offers one of the encryption features mentioned above. The best way to stay safe is to carry out independent tests, which we’ve done for you in our comparison of the best overall VPN services.
