Recent research has unveiled numerous vulnerabilities present in a majority of VPN products. Attackers can exploit these vulnerabilities to gain unauthorized access to user data, extract sensitive user information, or even launch attacks on user devices.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

Nian Xue from New York University, along with Yashaswi Malla, Zihang Xia, and Christina Popper from New York University Abu Dhabi, as well as Mathy Vanhoef from KU Leuven University, emphasizes, “Our attacks are not computationally expensive, so anyone with the right network access can do them. They also don’t depend on the VPN protocol being used.”
“Even if the victim is using another layer of encryption, like HTTPS, our attacks show which websites a user is visiting, which can be a big privacy risk.”

The Vulnerabilities and Potential Threats in VPNs

Several security holes have been identified, each assigned a unique CVE number: CVE-2023-36672, CVE-2023-35838, CVE-2023-36673, and CVE-2023-36671. Given the diversity of solutions that could potentially be compromised, these CVE numbers will serve as identifiers for each vulnerability, regardless of the specific solution or codebase it impacts.
The initial set of vulnerabilities can be exploited in a LocalNet attack scenario. This occurs when a user connects to a Wi-Fi or Ethernet network controlled by an attacker. The second set of vulnerabilities can lead to a ServerIP attack. In this case, attackers can take advantage of an untrusted Wi-Fi or Ethernet network or even be initiated by rogue Internet service providers (ISPs).

“Both attacks change the routing table of the victim to trick the victim into sending traffic outside the protected VPN tunnel,” explains the experts. This manipulation grants attackers the ability to read and intercept the transmitted traffic.

“Once a large enough number of devices have been fixed, and if the attack script is deemed necessary or helpful, it will also be made public,” they said.

TunnelCrack attacks

Apps/Clients Prone to Vulnerabilities and Protective Measures

After extensive testing of various consumer and enterprise VPNs, it was determined that most VPNs catering to Apple devices (including computers, iPhones, and iPads) and those tailored for Windows and Linux systems are susceptible to either one or both of the described attacks. Conversely, approximately one-fifth of VPN applications on the Android platform face potential risks. This discrepancy can be attributed to the presence of a “carefully designed” API.

Additionally, it’s worth noting that certain VPN applications on Linux exhibit vulnerabilities, and this extends to the built-in VPN utilities present in Windows, macOS, and iOS operating systems.

The researchers acknowledge that while they are uncertain about the exploitation of these vulnerabilities in real-world scenarios, they also emphasize the difficulty in detecting such instances if they were occurring.

They have proactively informed numerous VPN providers about the identified issues. Consequently, several vendors have taken steps to rectify the bugs. However, it’s worth noting that some vendors chose not to disclose the bug fixes in their update release notes, as the researchers requested that these fixes remain concealed until the completion of their study.

Towards the conclusion of the researchers’ paper, a comprehensive list of all the tested VPN applications across various devices is provided. It could be prudent to verify whether the VPN application you utilize is included in this list. If your chosen VPN app is indeed listed, it’s advisable to ascertain whether the vendor has taken steps to address the identified vulnerabilities. In the event that this information is not readily accessible online, reaching out to the vendor’s technical support could be a suitable approach to obtain clarification.
The researchers said, “Some VPNs that have been patched are Mozilla VPN, Surfshark, Malwarebytes, Windscribe (which can import OpenVPN profiles), and Cloudflare’s WARP.”

Cisco has officially acknowledged that CVE-2023-36672 has the potential to impact its Cisco Secure Client and AnyConnect Secure Mobility Client. However, this vulnerability only holds relevance in a specific configuration that deviates from the default settings. On the other hand, Mullvad has specified that the LocalNet attack exclusively applies to its iOS app, indicating that this vulnerability doesn’t extend to other platforms.

“If there are no updates for your VPN, you can stop the LocalNet threat by turning off access to the local network. You can also make attacks less likely by making sure websites use HTTPS, which many websites do these days”, the experts said.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center