TunnelVision (CVE-2024-3661).

A 2024 attack that abuses DHCP option 121 (classless static routes) on an attacker-controlled network to override a VPN's routing table, sending the victim's plaintext traffic outside the encrypted tunnel. It belongs to the Attacks & Threats category of cybersecurity.

A 2024 attack that abuses DHCP option 121 (classless static routes) on an attacker-controlled network to override a VPN's routing table, sending the victim's plaintext traffic outside the encrypted tunnel.

TunnelVision (CVE-2024-3661), disclosed by Leviathan Security in May 2024, is a routing-table attack against VPN clients that works at the DHCP layer rather than against the VPN protocol itself. A malicious or compromised DHCP server (a rogue Wi-Fi network, a hostile coffee-shop router, a captive portal) responds to the victim's DHCP lease with option 121 — classless static routes — injecting routes more specific than the VPN's default. Because most operating systems honor option 121 above VPN routes, traffic destined for the targeted prefixes egresses the physical interface in plaintext, bypassing the encrypted tunnel entirely. The VPN client still shows 'connected', and there is no kill-switch trigger. Affected platforms include Windows, macOS, iOS (partially), most Linux distributions, and the major commercial VPN clients; Android is largely unaffected because it does not implement option 121. Mitigations include ignoring option 121 on untrusted networks, putting the VPN inside a network namespace (Linux), enforcing the VPN as the only allowed interface via firewall rules, or relying on always-on per-app VPN configurations. The CVE prompted urgent advisories from Mullvad, Proton, and most enterprise VPN vendors.

Defences for TunnelVision (CVE-2024-3661) typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: CVE-2024-3661, DHCP option 121 attack.