TunnelVision (CVE-2024-3661).

A 2024 attack that abuses DHCP option 121 (classless static routes) on an attacker-controlled network to override a VPN's routing table, sending the victim's plaintext traffic outside the encrypted tunnel. 它属于网络安全的 攻击与威胁 分类。

A 2024 attack that abuses DHCP option 121 (classless static routes) on an attacker-controlled network to override a VPN's routing table, sending the victim's plaintext traffic outside the encrypted tunnel.

TunnelVision (CVE-2024-3661), disclosed by Leviathan Security in May 2024, is a routing-table attack against VPN clients that works at the DHCP layer rather than against the VPN protocol itself. A malicious or compromised DHCP server (a rogue Wi-Fi network, a hostile coffee-shop router, a captive portal) responds to the victim's DHCP lease with option 121 — classless static routes — injecting routes more specific than the VPN's default. Because most operating systems honor option 121 above VPN routes, traffic destined for the targeted prefixes egresses the physical interface in plaintext, bypassing the encrypted tunnel entirely. The VPN client still shows 'connected', and there is no kill-switch trigger. Affected platforms include Windows, macOS, iOS (partially), most Linux distributions, and the major commercial VPN clients; Android is largely unaffected because it does not implement option 121. Mitigations include ignoring option 121 on untrusted networks, putting the VPN inside a network namespace (Linux), enforcing the VPN as the only allowed interface via firewall rules, or relying on always-on per-app VPN configurations. The CVE prompted urgent advisories from Mullvad, Proton, and most enterprise VPN vendors.

针对 TunnelVision (CVE-2024-3661) 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: CVE-2024-3661, DHCP option 121 attack。