Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-3661

DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 7.6, indicating it requires adjacent network access with relatively low complexity without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts confidentiality (data exposure), limited integrity, and limited availability for affected systems. Impacting 12 products from fortinet, from cisco, from cisco and 9 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2024, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2024-05-06T19:15:11.027

Last Modified

2025-01-15T16:50:28.667

Status

Analyzed

Source

9119a7d8-5eab-497f-8521-727c672e3725

Severity

CVSSv3.1: 7.6 (HIGH)

Weaknesses

Type: Secondary
CWE-306
CWE-501
Type: Primary
CWE-306

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	fortinet	forticlient	< 7.2.5	Yes
Application	fortinet	forticlient	< 7.2.5	Yes
Application	fortinet	forticlient	< 7.2.5	Yes
Application	fortinet	forticlient	7.4.0	Yes
Application	fortinet	forticlient	7.4.0	Yes
Application	fortinet	forticlient	7.4.0	Yes
Application	cisco	anyconnect_vpn_client	-	Yes
Application	cisco	secure_client	-	Yes
Application	paloaltonetworks	globalprotect	*	Yes
Application	paloaltonetworks	globalprotect	*	Yes
Application	paloaltonetworks	globalprotect	*	Yes
Application	paloaltonetworks	globalprotect	*	Yes
Application	citrix	secure_access_client	< 24.06.1	Yes
Operating System	apple	iphone_os	-	No
Operating System	apple	macos	-	No
Application	citrix	secure_access_client	< 24.8.5	Yes
Operating System	linux	linux_kernel	-	No
Application	f5	big-ip_access_policy_manager	≤ 7.2.5	Yes
Application	f5	big-ip_access_policy_manager	≤ 15.1.10	Yes
Application	f5	big-ip_access_policy_manager	≤ 16.1.5	Yes
Application	f5	big-ip_access_policy_manager	≤ 17.1.2	Yes
Application	watchguard	ipsec_mobile_vpn_client	*	Yes
Application	watchguard	ipsec_mobile_vpn_client	*	Yes
Application	watchguard	mobile_vpn_with_ssl	*	Yes
Application	watchguard	mobile_vpn_with_ssl	*	Yes
Application	zscaler	client_connector	< 1.5.1.25	Yes
Application	zscaler	client_connector	< 4.2.0.282	Yes
Application	zscaler	client_connector	< 3.7.0.134	Yes
Application	zscaler	client_connector	-	Yes

References

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ Exploit, Press/Media Coverage (9119a7d8-5eab-497f-8521-727c672e3725)
https://bst.cisco.com/quickview/bug/CSCwk05814 Third Party Advisory, Vendor Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://datatracker.ietf.org/doc/html/rfc2131#section-7 Related (9119a7d8-5eab-497f-8521-727c672e3725)
https://datatracker.ietf.org/doc/html/rfc3442#section-7 Related (9119a7d8-5eab-497f-8521-727c672e3725)
https://fortiguard.fortinet.com/psirt/FG-IR-24-170 Vendor Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://issuetracker.google.com/issues/263721377 Issue Tracking (9119a7d8-5eab-497f-8521-727c672e3725)
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/ Exploit, Press/Media Coverage (9119a7d8-5eab-497f-8521-727c672e3725)
https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic Issue Tracking (9119a7d8-5eab-497f-8521-727c672e3725)
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision Third Party Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://my.f5.com/manage/s/article/K000139553 Vendor Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://news.ycombinator.com/item?id=40279632 Issue Tracking (9119a7d8-5eab-497f-8521-727c672e3725)
https://news.ycombinator.com/item?id=40284111 Issue Tracking (9119a7d8-5eab-497f-8521-727c672e3725)
https://security.paloaltonetworks.com/CVE-2024-3661 Vendor Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661 Vendor Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://tunnelvisionbug.com/ Exploit, Third Party Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://www.agwa.name/blog/post/hardening_openvpn_for_def_con Related (9119a7d8-5eab-497f-8521-727c672e3725)
https://www.leviathansecurity.com/research/tunnelvision Third Party Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/ Exploit, Press/Media Coverage (9119a7d8-5eab-497f-8521-727c672e3725)
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009 Mitigation, Third Party Advisory, Vendor Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability Exploit, Third Party Advisory, Vendor Advisory (9119a7d8-5eab-497f-8521-727c672e3725)
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ Exploit, Press/Media Coverage (af854a3a-2127-422b-91ae-364da2661108)
https://bst.cisco.com/quickview/bug/CSCwk05814 Third Party Advisory, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://datatracker.ietf.org/doc/html/rfc2131#section-7 Related (af854a3a-2127-422b-91ae-364da2661108)
https://datatracker.ietf.org/doc/html/rfc3442#section-7 Related (af854a3a-2127-422b-91ae-364da2661108)
https://fortiguard.fortinet.com/psirt/FG-IR-24-170 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://issuetracker.google.com/issues/263721377 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/ Exploit, Press/Media Coverage (af854a3a-2127-422b-91ae-364da2661108)
https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://my.f5.com/manage/s/article/K000139553 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://news.ycombinator.com/item?id=40279632 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://news.ycombinator.com/item?id=40284111 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://security.paloaltonetworks.com/CVE-2024-3661 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://tunnelvisionbug.com/ Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.agwa.name/blog/post/hardening_openvpn_for_def_con Related (af854a3a-2127-422b-91ae-364da2661108)
https://www.leviathansecurity.com/research/tunnelvision Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/ Exploit, Press/Media Coverage (af854a3a-2127-422b-91ae-364da2661108)
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009 Mitigation, Third Party Advisory, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability Exploit, Third Party Advisory, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For fortinet's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.