{"id":"CVE-2024-3661","details":"DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.","modified":"2026-03-15T22:49:30.479312Z","published":"2024-05-06T19:15:11.027Z","related":["ALSA-2025:0288","ALSA-2025:0377"],"references":[{"type":"WEB","url":"https://datatracker.ietf.org/doc/html/rfc2131#section-7"},{"type":"WEB","url":"https://datatracker.ietf.org/doc/html/rfc3442#section-7"},{"type":"ADVISORY","url":"https://fortiguard.fortinet.com/psirt/FG-IR-24-170"},{"type":"ADVISORY","url":"https://my.f5.com/manage/s/article/K000139553"},{"type":"ADVISORY","url":"https://bst.cisco.com/quickview/bug/CSCwk05814"},{"type":"ADVISORY","url":"https://security.paloaltonetworks.com/CVE-2024-3661"},{"type":"ADVISORY","url":"https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661"},{"type":"ADVISORY","url":"https://www.leviathansecurity.com/research/tunnelvision"},{"type":"ADVISORY","url":"https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009"},{"type":"ADVISORY","url":"https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision"},{"type":"REPORT","url":"https://issuetracker.google.com/issues/263721377"},{"type":"REPORT","url":"https://news.ycombinator.com/item?id=40279632"},{"type":"REPORT","url":"https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic"},{"type":"REPORT","url":"https://news.ycombinator.com/item?id=40284111"},{"type":"ARTICLE","url":"https://www.agwa.name/blog/post/hardening_openvpn_for_def_con"},{"type":"EVIDENCE","url":"https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/"},{"type":"EVIDENCE","url":"https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability"},{"type":"EVIDENCE","url":"https://tunnelvisionbug.com/"},{"type":"EVIDENCE","url":"https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/"},{"type":"EVIDENCE","url":"https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"6.4.0"},{"fixed":"7.2.5"}]},{"events":[{"introduced":"6.4.0"},{"fixed":"7.2.5"}]},{"events":[{"introduced":"6.4.0"},{"fixed":"7.2.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.0"}]},{"events":[{"introduced":"0"},{"fixed":"24.06.1"}]},{"events":[{"introduced":"0"},{"fixed":"24.8.5"}]},{"events":[{"introduced":"7.2.3"},{"last_affected":"7.2.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.5"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.2"}]},{"events":[{"introduced":"0"},{"fixed":"1.5.1.25"}]},{"events":[{"introduced":"0"},{"fixed":"4.2.0.282"}]},{"events":[{"introduced":"3.7"},{"fixed":"3.7.0.134"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3661.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"}]}