National Research Center for Applied Cybersecurity ATHENE: Severe Vulnerabilities Discovered in Software to Protect Internet Routing
A research team from the National Research Center for Applied Cybersecurity ATHENE led by Prof. Dr. Haya Schulmann has uncovered 18 vulnerabilities in crucial software components of Resource Public Key Infrastructure (RPKI). RPKI is an Internet standard meant to protect Internet traffic from being hijacked by hackers. By now, all affected vendors provided patches for their products. The vulnerabilities could have had devastating consequences: Internet hijacks have already been exploited, e.g., for phishing passwords and other sensitive information, tricking certificate authorities into issuing fraudulent Web certificates, stealing cryptocurrency, distributing malware, and poisoning caches of DNS servers.
Frankfurt and Darmstadt, April 2024
The ATHENE team consisting of Prof. Dr. Haya Schulmann and Niklas Vogel, both from Goethe University of Frankfurt, Donika Mirdita from TU Darmstadt, and Prof. Dr. Michael Waidner from TU Darmstadt and Fraunhofer SIT uncovered and disclosed 18 vulnerabilities. The National Vulnerability Database (NVD), operated by the US National Institute of Standards and Technology (NIST), assigned five Common Vulnerabilities and Exposures (CVE) entries to these vulnerabilities, some critical with a score of 9.3 out of 10. The team used a testing tool, CURE, which they developed specifically for this project and which ATHENE makes available free of charge to all developers of RPKI software. The researchers found vulnerabilities in all popular implementations of the validator component of RPKI. They range between crashes, violation of standard behavior, and even severe bugs that allow a network adversary to completely take over an RPKI certificate hierarchy in order to inject its own trust anchor – effectively being able to forge authentic and valid yet bogus routing information (i.e., BGP announcements). It is unknown whether any of the vulnerabilities were already exploited by hackers in the wild.
RPKI is a relatively new standard. Today, about 50% of the Internet’s network prefixes are covered by RPKI certificates, and 37.8% of all Internet domains validate RPKI certificates. In particular, many large providers and operators support RPKI, e.g., Amazon Web Services, Cogent, Deutsche Telekom, Level 3, and Zayo.
The research work was carried out in the ATHENE research area Analytic Based Cybersecurity (ABC) (more information at https://abc.athene-center.de/en/ ) and appeared at the 2024 Network and Distributed System Security (NDSS) Symposium in San Diego, California, USA. The research paper can be downloaded from https://www.ndss-symposium.org/ndss-paper/the-cure-to-vulnerabilities-in-rpki-validation/. The testing tool CURE developed and used by the researchers to uncover the vulnerabilities can be downloaded from https://github.com/rp-cure/rp-cure.
The National Research Center for Applied Cybersecurity ATHENE is a research center of the Fraunhofer Society that brings together the Fraunhofer Institutes for Secure Information Technology (SIT) and for Computer Graphics Research (IGD), Technische Universität Darmstadt, Goethe-Universität Frankfurt am Main, and Darmstadt University of Applied Sciences. With more than 600 scientists, ATHENE is Europe's most prominent cybersecurity research center and Germany’s leading scientific research institution in this domain. ATHENE is supported by the German Federal Ministry of Education and Research (BMBF) and the Hessian Ministry for Higher Education, Research, Science and the Arts (HMWK). Further information about ATHENE can be found at https://www.athene-center.de/en/.
Press Contact: Mrs. Cornelia Reitz, cornelia.reitz@athene-center.de
Subscribe to releases from news aktuell GmbH
Subscribe to all the latest releases from news aktuell GmbH by registering your e-mail address below. You can unsubscribe at any time.
Latest releases from news aktuell GmbH
MT Raceteam entering Ligier European Series with 16 year old Marcus Terkildsen / attractive partnerships and high visibility available18.12.2025 14:00:58 CET | Press release
MT Raceteam is proud to announce its 2026 entry into the prestigious Ligier European Series, where the team will compete in a state-of-the-art Ligier JS2 R supplied by 23 Events Racing. This marks an important milestone for both the team and sixteen-year-old Danish driver Marcus Terkildsen as they step into one of Europe’s most competitive championships.
NTT DATA acquires The Cloud People to expand ServiceNow expertise and strengthen global reach18.12.2025 12:00:00 CET | Press release
(Bielefeld, Germany/Oslo, Norway) — NTT DATA announces the acquisition of The Cloud People Group AS, one of the largest pure-play ServiceNow partners in Europe. Founded in 2019, The Cloud People is headquartered in Oslo, Norway, with offices across northern Europe, the USA and Brazil, and will become part of NTT DATA Business Solutions, a business unit of NTT DATA. As a leading provider of ServiceNow solutions for medium and large enterprises, The Cloud People offer a focused value proposition covering the entire ServiceNow platform. The company delivers services across multiple workflows including IT service management, incident, problem and change management, automation of routine tasks, resource planning, onboarding and offboarding of employees, as well as customer service and security operations. The acquisition of The Cloud People will add 130 active customers to NTT DATA Business Solutions’ portfolio. The Cloud People is at the forefront of ServiceNow’s AI evolution with its dedi
fulfillmenttools Delivers Global Order Management Solution for DEICHMANN18.12.2025 11:09:09 CET | Press release
fulfillmenttools will support DEICHMANN in streamlining its order processing across different channels. The platform connects and manages the retailer’s inventory and order management across several countries, online shops, physical stores, and marketplaces. Partnering with Europe’s leading footwear retailer highlights fulfillmenttools’ strong position in Order Management and demonstrates the solution’s adaptability for international commerce.
ZEISS concludes fiscal year 2024/25 with solid growth18.12.2025 11:00:00 CET | Press release
Revenue totaled almost 12 billion euros, with EBIT at 1.552 billion euros. The segments once again presented a mixed picture. Targeted resilience measures and investments in innovative strength are the key to the future.
Innovative Support AI “Neo” Launches in the New Customer App from PLAN-B NET ZERO12.12.2025 09:00:00 CET | Press release
Zug/Berlin, December 12, 2025 – With “Neo”, PLAN-B NET ZERO is introducing a new generation of digital customer support: an AI that answers energy-related questions in real time, resolves requests automatically and is available around the clock. Faster, more precise and more personal than traditional service models.
In our pressroom you can read all our latest releases, find our press contacts, images, documents and other relevant information about us.
Visit our pressroom