Is this really a vulnerability? This is just expected behavior of IP-in-IP. I don't know of any devices that have IP-in-IP enabled by default because you need to be careful setting it up to work correctly.
Edit: Now I see that some devices have been found that have IP-in-IP switched on by default which is crazily stupid.
Edit: Now I see that some devices have been found that have IP-in-IP switched on by default which is crazily stupid.