Saved in:
Bibliographic Details
Main Authors: Yang, Yuxiang, Wang, Ao, Feng, Xuewei, Li, Qi, Xu, Ke
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.04099
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914447528820736
author Yang, Yuxiang
Wang, Ao
Feng, Xuewei
Li, Qi
Xu, Ke
author_facet Yang, Yuxiang
Wang, Ao
Feng, Xuewei
Li, Qi
Xu, Ke
contents Virtual Private Networks (VPNs) are widely used for censorship evasion and traffic protection. VPN users expect to be provided with adequate security protection, and at the same time not be affected by other users connected to the same VPN server, which can be illustrated as the non-interference property. However, in this paper, we have identified several vulnerabilities that violate this property, specifically within the connection tracking frameworks of VPN servers, stemming from shared resource misuse and insufficient validation of session state transitions. We present three session manipulation attacks targeting TCP and UDP traffic tunneled through VPNs. The attacker who only connects to the same VPN server can launch denial-of-service attacks, hijack TCP connections of other clients, or inject forged DNS responses into their queries. We evaluate these attacks against five popular connection tracking frameworks across different OSes and nine major commercial VPN providers. Experimental results reveal that all frameworks and eight providers are vulnerable to at least one of the attacks. We have responsibly disclosed our findings with countermeasures, resulting in 19 assigned CVEs/CNVDs and acknowledgments from the communities and providers.
format Preprint
id arxiv_https___arxiv_org_abs_2604_04099
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Invisible Adversaries: A Systematic Study of Session Manipulation Attacks on VPNs
Yang, Yuxiang
Wang, Ao
Feng, Xuewei
Li, Qi
Xu, Ke
Cryptography and Security
Virtual Private Networks (VPNs) are widely used for censorship evasion and traffic protection. VPN users expect to be provided with adequate security protection, and at the same time not be affected by other users connected to the same VPN server, which can be illustrated as the non-interference property. However, in this paper, we have identified several vulnerabilities that violate this property, specifically within the connection tracking frameworks of VPN servers, stemming from shared resource misuse and insufficient validation of session state transitions. We present three session manipulation attacks targeting TCP and UDP traffic tunneled through VPNs. The attacker who only connects to the same VPN server can launch denial-of-service attacks, hijack TCP connections of other clients, or inject forged DNS responses into their queries. We evaluate these attacks against five popular connection tracking frameworks across different OSes and nine major commercial VPN providers. Experimental results reveal that all frameworks and eight providers are vulnerable to at least one of the attacks. We have responsibly disclosed our findings with countermeasures, resulting in 19 assigned CVEs/CNVDs and acknowledgments from the communities and providers.
title Invisible Adversaries: A Systematic Study of Session Manipulation Attacks on VPNs
topic Cryptography and Security
url https://arxiv.org/abs/2604.04099