IP-in-IP protocol allows a remote, unauthenticated attacker to route arbitrary network traffic
CVE-2020-10136

5.3MEDIUM

Key Information:

Vendor: Ietf
Status: Rfc2003 - Ip Encapsulation Within Ip
Vendor: CVE Published:; 2 June 2020

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 15%

Summary

IP-in-IP protocol specifies IP Encapsulation within IP standard (RFC 2003, STD 1) that decapsulate and route IP-in-IP traffic is vulnerable to spoofing, access-control bypass and other unexpected behavior due to the lack of validation to verify network packets before decapsulation and routing.

Affected Version(s)

RFC2003 - IP Encapsulation within IP STD 1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

ipeeyoupeewepee
Created by PapayaJackal

References

https://kb.cert.org/vuls/id/636397/

https://tools.cisco.com/security/center/content/CiscoSecu...

https://www.digi.com/resources/security

EPSS Score

15% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 22, 2025
👾
Exploit known to exist
Jan 22, 2025
Vulnerability published
Jun 2, 2020
Vulnerability Reserved
Mar 5, 2020

Credit

Thanks to Yannay Livneh for reporting this issue.