Home / The Long Read / Threat Intelligence
Threat IntelligenceLong Read

How 4.2 Million Internet Hosts Were Hijacked: What You Need to Know

Discover how vulnerabilities in tunneling protocols expose 4.2M internet hosts to attacks. Learn about the risks, affected regions, and essential steps to protect your network and supply chain.

Article contents
  1. What happened?
How 4.2 Million Internet Hosts Were Hijacked: What You Need to Know
TL;DR

Discover how vulnerabilities in tunneling protocols expose 4.2M internet hosts to attacks. Learn about the risks, affected regions, and essential steps to protect your network and supply chain.

What happened?

Researchers have discovered vulnerabilities in four tunneling protocols that allowed attackers to hijack 4.2 million internet hosts, including VPN servers, home routers, and enterprise devices. These attacks target both corporate and home networks, letting cybercriminals abuse these devices as one-way proxies for anonymous attacks.

How do these attacks work?

Attackers exploit bugs in tunneling protocols to launch:

  • Denial-of-Service (DoS) attacks: Overloading systems to cause disruptions.
  • DNS spoofing: Redirecting users to malicious websites.
  • Unauthorized access: Gaining entry to private networks or IoT devices.
  • SYN floods: Sending a flood of TCP requests to crash systems.
  • These attacks can make malicious traffic appear legitimate by spoofing source addresses, bypassing basic defenses.

    Where are these attacks happening?

    Image representing Brazil, China, France, Japan, and the United States

    Most of these attacks have occurred in:

    • Brazil
    • China
    • France
    • Japan
    • The United States

    This highlights how widespread and impactful these vulnerabilities are.

    What should you do to stay protected?

    Experts recommend taking these steps to safeguard your systems:

    1. Use trusted endpoints: Ensure tunneling traffic is only accepted from verified sources.
    2. Update software: Apply vendor patches for affected devices and services.
    3. Harden configurations: Secure your network with strict firewall rules and robust authentication checks.
    4. Disable unused services: Turn off tunneling services if you don’t need them.

    Why this matters for your supply chain and TPRM

    Supply chains and third-party relationships depend heavily on secure networks and devices. Vulnerabilities in tunneling protocols can expose businesses to risks, including:

    • Compromised vendor systems leading to breaches.
    • Disruptions in supply chain operations due to DoS attacks.
    • Data theft from insecure IoT devices used in logistics.

    How TPRM can help mitigate these risks

    Supplier shield's dashboard showing the supplier's view of the complete chain in an easy and friendly UX

    By adopting a Third-Party Risk Management (TPRM) approach, businesses can:

    • Identify vulnerable vendors: Assess third-party systems for outdated or unpatched devices.
    • Enforce security standards: Require vendors to harden their network devices and apply patches.
    • Monitor real-time risks: Use tools to track potential threats in your supply chain.

    Take the next step with our TPRM services

    Our TPRM cloud-solution are designed to protect your supply chain by identifying and managing vendor risks. Whether it’s securing tunneling protocols or safeguarding IoT devices, we help you:

    • Evaluate vendor cybersecurity practices.
    • Monitor risks continuously.
    • Strengthen your overall resilience.

    The recent tunneling protocol vulnerabilities are a wake-up call for businesses relying on digital systems. By taking proactive steps to secure your network and embracing TPRM, you can stay ahead of threats while ensuring your supply chain remains robust and resilient.

    What to do next

    Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.

    Related solutions
    How Supplier Shield worksCompare alternatives

    Read next

    SonicWall SMA 1000 zero-days under active attack: the remote-access appliance became the way in

    SonicWall SMA 1000 zero-days under active attack: the remote-access appliance became the way in

    On 14 July 2026 SonicWall confirmed two actively exploited zero-days in its Secure Mobile Access (SMA) 1000 Series remote-access appliances and released fixed firmware. The pattern is concentration risk at the network edge: a widely used SSL VPN gateway sits in front of internal systems, so its compromise reaches everyone behind it, including the clients of managed providers that run one.

    Read article
    Jscrambler's own npm package was hijacked: a trusted supplier became a supply-chain vector

    Jscrambler's own npm package was hijacked: a trusted supplier became a supply-chain vector

    An attacker hijacked Jscrambler's npm package with a stolen publishing credential and shipped an infostealer to developers between 11 and 13 July 2026. The malware harvested cloud tokens, wallets and AI-assistant credentials from any machine that installed it. For third-party risk teams, the lesson is that a trusted dependency is a supplier, and its release channel can become the attack path.

    Read article
    Lidl online shop data breach started at an IT service provider, not the retailer's own systems

    Lidl online shop data breach started at an IT service provider, not the retailer's own systems

    Lidl has told online shop customers in Germany, Belgium and the Netherlands that their data was stolen in a breach at an IT service provider, not in its own systems. Names, phone numbers, email addresses, dates of birth and customer numbers were taken; payment data is not yet ruled out. Under GDPR the controller stays accountable for a processor's breach.

    Read article
    4.2 Million Internet Hosts Hijacked: What to Know | Supplier Shield