Taking down a network with a TLS certificate: my RIPE NCC RPKI exploit chain
A security researcher discovered an exploit chain that could disconnect a network from the internet by compromising routing authorizations via a malicious link. The attack leverages XSS vulnerabilities, a shared session cookie, and lack of CSRF protection in RIPE NCC systems to manipulate RPKI and the RIPE Database. Although the vulnerabilities have been fixed, the exploit could have allowed attackers to silently disrupt connectivity for hours or enable route hijacking.
- ▪The exploit chain uses a malicious link to RIPE Atlas, which appears legitimate and can trigger an attack if clicked by a logged-in user.
- ▪By exploiting XSS vulnerabilities and missing CSRF protections, an attacker can modify RPKI Route Origin Authorisations to block a network's traffic.
- ▪Compromising the RIPE Database allows hijacking of network objects, locking out legitimate owners until manual intervention by RIPE NCC staff.
- ▪RPKI is trusted globally to validate internet routing, but its reliance on web interfaces introduces critical security risks if not properly secured.
- ▪The researcher responsibly disclosed the vulnerabilities after a 14-month process, and all issues have since been fixed.
Opening excerpt (first ~120 words) tap to expand
Taking down a European network with a TLS certificate: my RIPE NCC RPKI exploit chainApril 29, 2026One click on a malicious, but not suspicious, link. That is all it could take for a network operator to get disconnected from the internet, through a chain of vulnerabilities I discovered. From that single click, I could fully control their routing authorisations in a RIPE NCC portal, telling the rest of the internet not to accept their routes. I could also hijack all their RIPE Database objects, locking the legitimate owners out until RIPE NCC staff manually restore them.This attack chain comes down to surprising entry points, risky architectural decisions, and components that don’t look security-critical until they are.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Mxsasha.
Discussion
0 commentsMore from Mxsasha
