CVE-2026-24902
📋 TL;DR
This CVE describes a server-side request forgery (SSRF) vulnerability in TrustTunnel VPN software that allows attackers to bypass private network restrictions. When 'allow_private_network_connections = false' is configured, the software fails to validate numeric IP addresses, enabling connections to loopback and private network targets. Organizations using TrustTunnel versions before 0.9.114 are affected.
💻 Affected Systems
- TrustTunnel
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot through the VPN server to access internal services, potentially reaching sensitive systems like databases, management interfaces, or internal APIs that should be isolated from external access.
Likely Case
Attackers could scan and access internal network services behind the VPN server, potentially exposing internal applications, file shares, or administrative interfaces that were intended to be protected.
If Mitigated
With proper network segmentation and additional firewall rules, the impact would be limited to the specific subnet where the VPN server resides, preventing lateral movement to critical systems.
🎯 Exploit Status
Exploitation requires VPN access, but once authenticated, the bypass is straightforward by providing numeric IP addresses instead of hostnames.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.9.114
Vendor Advisory: https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76
Restart Required: Yes
Instructions:
1. Stop TrustTunnel service. 2. Update to version 0.9.114 or later. 3. Restart TrustTunnel service. 4. Verify the fix by checking version and testing private network access restrictions.
🔧 Temporary Workarounds
Set allow_private_network_connections to true
allChange configuration to allow private network connections, which removes the vulnerable code path entirely
Edit TrustTunnel configuration file and set: allow_private_network_connections = true
Network firewall restrictions
allImplement network-level restrictions to block VPN server access to internal networks
Add firewall rules to restrict VPN server's outbound connections to internal IP ranges
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the VPN server from sensitive internal networks
- Deploy additional monitoring and alerting for VPN server connections to internal IP addresses
🔍 How to Verify
Check if Vulnerable:
Check TrustTunnel version and configuration. If version < 0.9.114 and allow_private_network_connections = false, the system is vulnerable.Check Version:
trusttunnel --version or check package manager for installed versionVerify Fix Applied:
After patching, test that numeric IP addresses to private ranges (like 127.0.0.1, 192.168.1.1) are properly blocked when allow_private_network_connections = false.📡 Detection & Monitoring
Log Indicators:
- Connection attempts from VPN server to internal IP addresses
- Failed connection attempts to private IP ranges when restrictions should be active
Network Indicators:
- VPN server initiating connections to internal network IPs
- Unusual traffic patterns from VPN server to loopback addresses
SIEM Query:
source_ip="VPN_SERVER_IP" AND dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8)