The network has IPv6 enabled without proper security controls, or firewall rules are only configured for IPv4 traffic, leaving IPv6 traffic unprotected.
An attacker could bypass IPv4-only security controls using IPv6 traffic, perform man-in-the-middle attacks via IPv6 router advertisements, or access services not intended to be exposed over IPv6.
Apply security policies consistently across both IPv4 and IPv6. If IPv6 is not required, disable it at the host and network level. Monitor for rogue IPv6 router advertisements. Audit firewall rules for IPv6 coverage.