PureVPN’s Linux Clients Expose IPv6 Addresses & Disable Firewalls

An independent researcher named Andreas, author of the blog Anagogistis, has uncovered severe vulnerabilities in the Linux clients of PureVPN, flaws that undermine the very foundations of anonymity and traffic protection. The issues affect both the graphical client (version 2.10.0) and the console client (version 2.0.1), tested on Ubuntu 24.04.3 LTS.

The most critical weakness arises when reconnecting to Wi-Fi or resuming from sleep: the user’s real IPv6 address becomes exposed. In the console client, even with the Internet Kill Switch enabled, the service automatically announces the restoration of connectivity, yet during that interval the system accepts IPv6 routes via Router Advertisements, sending packets outside the VPN tunnel. Because the default ip6tables policy remains set to ACCEPT, traffic flows directly into the open network.

The graphical client introduces even greater risk. When a session drops, it correctly blocks IPv4 traffic and alerts the user, yet IPv6 traffic continues to flow unimpeded until the user manually clicks Reconnect. This creates a dangerous window in which sensitive data is transmitted openly across the internet.

Equally troubling is the way the client handles firewall settings. Upon establishing a VPN session, it wipes the existing iptables configuration, sets INPUT to ACCEPT, and deletes user-defined rules, including those of UFW, Docker chains, and custom security policies. When the VPN disconnects, these modifications are not reverted, leaving the system in a weaker state than before the connection was initiated.

Andreas submitted detailed reports and demonstration videos through PureVPN’s vulnerability disclosure program in late August 2025. Yet, after three weeks, the company had issued no public acknowledgment and provided no guidance to users about the risks.

In practice, this means Linux users of PureVPN may browse IPv6-enabled websites or send email while believing they are protected, even though their true address is already visible to their ISP. The simultaneous presence of IPv6 leakage and dismantled firewall protections highlights a profound breach of the basic principles of security on which trust in VPN services is built.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy