CVE-2024-3661 | DHCP routing options can manipulate interface-based VPN traffic

Exp

DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

Published: 2024-05-06 Last update: 2026-06-17 Assigner: 9119a7d8-5eab-497f-8521-727c672e3725 Source: 9119a7d8-5eab-497f-8521-727c672e3725
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2024-3661 is rated High Exploit Risk (77.8/100): CVSS High severity, with medium exploitation likelihood (EPSS 4.06%). 5 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +1.15% over the last day, indicating growing attacker interest. Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2024-3661

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2024-3661

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 2.91% 4.06% +1.15%
2 2026-05-07 2.42% 2.91% +0.50%
3 2026-04-26 2.42%

Full EPSS history (40 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-3661

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.6 3.1 HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Click to expand
Attack vector (AV:A)
Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
 2.8 4.7 9119a7d8-5eab-497f-8521-727c672e3725
7.6 3.1 HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Click to expand
Attack vector (AV:A)
Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
 2.8 4.7 [email protected]

Weakness enumeration for CVE-2024-3661

OS Trackers for CVE-2024-3661

vendor priority summary link
redhat medium https://access.redhat.com/security/cve/CVE-2024-3661
suse high CVE-2024-3661 severity important: SUSE including 32 source package names (NetworkManager-1.40.16-18.el8_10, NetworkManager-1.48.10-5.el9_5, …), 32 product×package rows across 2 product lines (SUSE Liberty Linux 8, SUSE Liberty Linux 9): Fixed 32. https://www.suse.com/security/cve/CVE-2024-3661/
ubuntu high CVE-2024-3661 high priority: Ubuntu including 29 source packages (connman, gadmin-openvpn-client, …), 248 status rows across 10 suites (bionic, focal, jammy, mantic, noble, oracular, plucky, trusty, upstream, xenial): ignored 191, DNE 29, needs-triage 28. https://ubuntu.com/security/CVE-2024-3661

Affected software / configurations for CVE-2024-3661

Vendor Product Version Raw CPE
fortinet forticlient >= 6.4.0, < 7.2.5 cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:linux:*:*
fortinet forticlient >= 6.4.0, < 7.2.5 cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:macos:*:*
fortinet forticlient >= 6.4.0, < 7.2.5 cpe:2.3:a:fortinet:forticlient:*:*:*:*:*:windows:*:*
fortinet forticlient 7.4.0 cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:linux:*:*
fortinet forticlient 7.4.0 cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:macos:*:*
fortinet forticlient 7.4.0 cpe:2.3:a:fortinet:forticlient:7.4.0:*:*:*:*:windows:*:*
cisco anyconnect_vpn_client cpe:2.3:a:cisco:anyconnect_vpn_client:-:*:*:*:*:*:*:*
cisco secure_client cpe:2.3:a:cisco:secure_client:-:*:*:*:*:*:*:*
paloaltonetworks globalprotect cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:iphone_os:*:*
paloaltonetworks globalprotect cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:linux:*:*
paloaltonetworks globalprotect cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:macos:*:*
paloaltonetworks globalprotect cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:windows:*:*
citrix secure_access_client < 24.06.1 cpe:2.3:a:citrix:secure_access_client:*:*:*:*:*:*:*:*
citrix secure_access_client < 24.8.5 cpe:2.3:a:citrix:secure_access_client:*:*:*:*:*:*:*:*
f5 big-ip_access_policy_manager >= 7.2.3, <= 7.2.5 cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 big-ip_access_policy_manager >= 15.1.0, <= 15.1.10 cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 big-ip_access_policy_manager >= 16.1.0, <= 16.1.5 cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 big-ip_access_policy_manager >= 17.1.0, <= 17.1.2 cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
watchguard ipsec_mobile_vpn_client cpe:2.3:a:watchguard:ipsec_mobile_vpn_client:*:*:*:*:*:macos:*:*
watchguard ipsec_mobile_vpn_client cpe:2.3:a:watchguard:ipsec_mobile_vpn_client:*:*:*:*:*:windows:*:*
watchguard mobile_vpn_with_ssl cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:macos:*:*
watchguard mobile_vpn_with_ssl cpe:2.3:a:watchguard:mobile_vpn_with_ssl:*:*:*:*:*:windows:*:*
zscaler client_connector < 1.5.1.25 cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:linux:*:*
zscaler client_connector < 4.2.0.282 cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:macos:*:*
zscaler client_connector >= 3.7, < 3.7.0.134 cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:linux:*:*
zscaler client_connector cpe:2.3:a:zscaler:client_connector:-:*:*:*:*:windows:*:*

References for CVE-2024-3661

URL Tags
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ Exploit Press/Media Coverage
https://bst.cisco.com/quickview/bug/CSCwk05814 Third Party Advisory Vendor Advisory
https://datatracker.ietf.org/doc/html/rfc2131#section-7 Related
https://datatracker.ietf.org/doc/html/rfc3442#section-7 Related
https://fortiguard.fortinet.com/psirt/FG-IR-24-170 Vendor Advisory
https://issuetracker.google.com/issues/263721377 Issue Tracking
https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/ Exploit Press/Media Coverage
https://lowendtalk.com/discussion/188857/a-rogue-dhcp-server-within-your-network-can-and-will-hijack-your-vpn-traffic Issue Tracking
https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision Third Party Advisory
https://my.f5.com/manage/s/article/K000139553 Vendor Advisory
https://news.ycombinator.com/item?id=40279632 Issue Tracking
https://news.ycombinator.com/item?id=40284111 Issue Tracking
https://security.paloaltonetworks.com/CVE-2024-3661 Vendor Advisory
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661 Vendor Advisory
https://tunnelvisionbug.com/ Exploit Third Party Advisory
https://www.agwa.name/blog/post/hardening_openvpn_for_def_con Related
https://www.leviathansecurity.com/research/tunnelvision Third Party Advisory
https://www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/ Exploit Press/Media Coverage
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009 Mitigation Third Party Advisory Vendor Advisory
https://www.zscaler.com/blogs/security-research/cve-2024-3661-k-tunnelvision-exposes-vpn-bypass-vulnerability Exploit Third Party Advisory Vendor Advisory
cvelogic Threat Intelligence