Architectural VPN Vulnerabilities, Disclosure Fatigue, and Structural Failures

William J. Tolley; Everett Morse; Gabriel Hogan; Jeffrey Knockel; Jedidiah R. Crandall

Architectural VPN Vulnerabilities, Disclosure Fatigue, and Structural Failures

Authors: William J. Tolley (Hampden-Sydney College), Everett Morse (Hampden-Sydney College), Gabriel Hogan (Washington & Lee University), Jeffrey Knockel (Bowdoin College), Jedidiah R. Crandall (Arizona State University)

Year: 2026
Issue: 1
Pages: 48–57

Download PDF

Abstract: This experience paper recounts seven years of disclosure and re- testing of an architectural VPN vulnerability first reported in 2019. The flaw, rooted in predictable tunnel behavior, still allows blind in-path adversaries to infer and disrupt encrypted traffic on fully updated devices in 2025. Our experience shows that repeated CVEs and patch cycles create the illusion of progress while the underlying risk persists. We distill lessons about the limits of patch-based disclosure, the absence of ownership for architectural flaws, and the resulting risks to high-threat users, and propose a framework for tracking long-lived, cross-vendor vulnerabilities.

Copyright in FOCI articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.