National Research Center for Applied Cybersecurity ATHENE: Severe Vulnerabilities Discovered in Software to Protect Internet Routing

12.4.2024 08:49:14 CEST | news aktuell GmbH | Press release

A research team from the National Research Center for Applied Cybersecurity ATHENE led by Prof. Dr. Haya Schulmann has uncovered 18 vulnerabilities in crucial software components of Resource Public Key Infrastructure (RPKI). RPKI is an Internet standard meant to protect Internet traffic from being hijacked by hackers. By now, all affected vendors provided patches for their products. The vulnerabilities could have had devastating consequences: Internet hijacks have already been exploited, e.g., for phishing passwords and other sensitive information, tricking certificate authorities into issuing fraudulent Web certificates, stealing cryptocurrency, distributing malware, and poisoning caches of DNS servers.

Frankfurt and Darmstadt, April 2024

The ATHENE team consisting of Prof. Dr. Haya Schulmann and Niklas Vogel, both from Goethe University of Frankfurt, Donika Mirdita from TU Darmstadt, and Prof. Dr. Michael Waidner from TU Darmstadt and Fraunhofer SIT uncovered and disclosed 18 vulnerabilities. The National Vulnerability Database (NVD), operated by the US National Institute of Standards and Technology (NIST), assigned five Common Vulnerabilities and Exposures (CVE) entries to these vulnerabilities, some critical with a score of 9.3 out of 10. The team used a testing tool, CURE, which they developed specifically for this project and which ATHENE makes available free of charge to all developers of RPKI software. The researchers found vulnerabilities in all popular implementations of the validator component of RPKI. They range between crashes, violation of standard behavior, and even severe bugs that allow a network adversary to completely take over an RPKI certificate hierarchy in order to inject its own trust anchor – effectively being able to forge authentic and valid yet bogus routing information (i.e., BGP announcements). It is unknown whether any of the vulnerabilities were already exploited by hackers in the wild.

RPKI is a relatively new standard. Today, about 50% of the Internet’s network prefixes are covered by RPKI certificates, and 37.8% of all Internet domains validate RPKI certificates. In particular, many large providers and operators support RPKI, e.g., Amazon Web Services, Cogent, Deutsche Telekom, Level 3, and Zayo.

The research work was carried out in the ATHENE research area Analytic Based Cybersecurity (ABC) (more information at https://abc.athene-center.de/en/ ) and appeared at the 2024 Network and Distributed System Security (NDSS) Symposium in San Diego, California, USA. The research paper can be downloaded from https://www.ndss-symposium.org/ndss-paper/the-cure-to-vulnerabilities-in-rpki-validation/. The testing tool CURE developed and used by the researchers to uncover the vulnerabilities can be downloaded from https://github.com/rp-cure/rp-cure.

The National Research Center for Applied Cybersecurity ATHENE is a research center of the Fraunhofer Society that brings together the Fraunhofer Institutes for Secure Information Technology (SIT) and for Computer Graphics Research (IGD), Technische Universität Darmstadt, Goethe-Universität Frankfurt am Main, and Darmstadt University of Applied Sciences. With more than 600 scientists, ATHENE is Europe's most prominent cybersecurity research center and Germany’s leading scientific research institution in this domain. ATHENE is supported by the German Federal Ministry of Education and Research (BMBF) and the Hessian Ministry for Higher Education, Research, Science and the Arts (HMWK). Further information about ATHENE can be found at https://www.athene-center.de/en/.

Press Contact: Mrs. Cornelia Reitz, cornelia.reitz@athene-center.de

Subscribe to releases from news aktuell GmbH

Subscribe to all the latest releases from news aktuell GmbH by registering your e-mail address below. You can unsubscribe at any time.

Latest releases from news aktuell GmbH

Innomotics Accelerates Electrification and Efficiency in Next?Generation Data Centers9.4.2026 11:00:00 CEST | Press release

Innomotics expands its portfolio of high‑efficiency motor, drive, and generator systems for hyperscale and AI‑optimized data centers Innomotics accelerates the electrification and efficiency of mission‑critical cooling, power, and safety infrastructure Solutions deliver significant operational, environmental, and financial benefits for operators facing rising power densities and cooling demands Supports global digitalization and the transition toward sustainable, resilient data center ecosystems

Kuvings Secures Non-Infringement Ruling for AUTO10 at UPC Court of Appeal; Sales Restrictions Lifted Across Europe8.4.2026 12:32:57 CEST | Press release

• The Court of Appeal overturns the first-instance decision and finds no infringement • The cross-border injunction across key European markets is lifted • A stricter, claim-based approach to patent interpretation is reaffirmed

Successful closing of the acquisition: INTERSPORT Austria strengthens its position in the European sports retail sector7.4.2026 09:07:36 CEST | Press release

Wels, Austria / 02. April 2026. INTERSPORT Austria has successfully completed the acquisition of the INTERSPORT Slovenia Group (closing). As a result, the sports retail group, headquartered in Wels, now has over 500 stores with more than 5.000 employees across twelve countries in Central and South-Eastern Europe, and will exceed the € 1 billion mark in sales in the future.

Petrus Discloses Significant Stake in Iveco Group N.V.31.3.2026 12:00:00 CEST | Press release

ST. HELIER & LONDON, 31 March 2026 – Petrus Legal Strategies (Jersey) Limited, Petrus Advisers Limited and funds advised by Petrus Advisers Limited (together, “Petrus”), which together hold between 3% and 5% of Iveco Group N.V. (“Iveco”) common shares, today issued the following statement regarding Tata Motors’s proposed all-cash voluntary tender offer for Iveco at €14.10 per share: “We are currently reviewing the terms of the proposal and may provide further comments in due course. We look forward to engaging in a constructive dialogue with Iveco, Tata Motors and all other relevant stakeholders.” About Petrus Advisers and Petrus Legal Strategies Petrus Advisers is an FCA regulated alternative investment management firm. Headquartered in London, it was founded in 2009. Petrus has a successful track record investing in European equities based on its proprietary analysis and entrepreneurial investment approach. Petrus takes a constructive approach actively working together with the manag

Valle Venia presents: LPS feat. Natalia Sarsgard: J’ai dû m’arrêter27.3.2026 11:09:54 CET | Press release

(Neustadt an der Weinstrasse, Germany) The song by Leo Philipp Schmidt and Valle Venia captures the feeling of losing oneself in a world that is growing ever louder and faster, where restlessness and superficiality cause relationships, friendships, and connections to dissolve and be sacrificed. With emotional depth, singer Natalia Sarsgard describes the path to finding oneself again, to gathering one’s thoughts, to remaining silent, to withdrawing—in order to reflect in the silence, in the comfort, and in the seclusion, to feel and reconnect with ourselves and others. Through her multifaceted voice, Natalia Sarsgard’s interpretation of the song conveys how strength and courage can arise from deep vulnerability. Without even realizing it, one is accompanied by the confidence that what was thought to be lost can be found again. Youtube: https://youtu.be/CINjhTHtmno J'ai Du M'arreter - LPS, https://open.spotify.com/intl-de/album/6BvbJ0VAAvMwciCD7q7BC8 https://shop.valle-venia.de/products/

In our pressroom you can read all our latest releases, find our press contacts, images, documents and other relevant information about us.

Visit our pressroom