Openvpn

OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase

Published: 2025-04-02T21:00:58.582Z
Updated: 2025-10-23T10:53:34.373Z

Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of service

Published: 2026-01-30T18:06:07.499Z
Updated: 2026-01-30T19:29:24.934Z

Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.

Published: 2025-12-03T16:22:35.771Z
Updated: 2025-12-12T13:56:20.684Z

Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client

Published: 2025-12-03T19:54:10.737Z
Updated: 2025-12-12T13:50:46.678Z

Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses

Published: 2025-12-01T12:43:02.480Z
Updated: 2025-12-01T18:50:28.995Z

OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use

Published: 2025-10-24T10:06:51.056Z
Updated: 2026-02-26T16:57:07.973Z

OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs.

Published: 2025-01-06T13:52:20.272Z
Updated: 2025-11-03T20:48:53.705Z

OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privileged process to create a named pipe which the OpenVPN GUI component would connect to allowing it to escalate its privileges

Published: 2025-04-03T15:11:51.057Z
Updated: 2025-04-04T13:25:17.430Z

OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session

Published: 2024-07-08T21:30:24.798Z
Updated: 2024-11-01T20:38:32.966Z

The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.

Published: 2024-07-08T10:20:34.520Z
Updated: 2024-08-10T03:55:21.896Z

The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to replace binaries to run arbitrary executables.

Published: 2024-02-21T10:55:15.487Z
Updated: 2024-08-26T16:13:36.611Z

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

Published: 2022-03-18T18:00:20.000Z
Updated: 2025-11-03T20:34:30.191Z

OpenVPN before version 2.5.3 on Windows allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (openvpn.exe).

Published: 2021-07-02T12:30:38.000Z
Updated: 2024-08-03T17:01:07.343Z

Control Channel in OpenVPN 2.4.7 and earlier allows remote attackers to cause a denial of service via crafted reset packet.

Published: 2023-08-22T00:00:00.000Z
Updated: 2024-10-04T16:22:07.912Z

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

Published: 2021-04-26T13:19:45.000Z
Updated: 2024-08-04T13:08:21.675Z

An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.

Published: 2020-04-27T14:47:01.000Z
Updated: 2024-08-04T11:42:00.876Z

openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a double-free of memory by sending a malformed request to the interactive service. This could cause a denial-of-service through memory corruption or possibly have unspecified other impact including privilege escalation.

Published: 2018-05-01T18:00:00.000Z
Updated: 2024-08-05T07:17:52.100Z

A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands, obtain sensitive information, or cause a denial of service (SIGTERM) by triggering XMLHttpRequest actions in a web browser. This is demonstrated by a multipart/form-data POST to http://localhost:23000 with a "signal SIGTERM" command in a TEXTAREA element. NOTE: The vendor disputes that this is a vulnerability. They state that this is the result of improper configuration of the OpenVPN instance rather than an intrinsic vulnerability, and now more explicitly warn against such configurations in both the management-interface documentation, and with a runtime warning

Published: 2018-03-16T15:00:00.000Z
Updated: 2024-11-14T20:46:28.947Z

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character.

Published: 2017-06-27T13:00:00.000Z
Updated: 2024-08-05T16:04:11.857Z

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension().

Published: 2017-06-27T13:00:00.000Z
Updated: 2024-08-05T16:04:11.856Z

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker.

Published: 2017-06-27T13:00:00.000Z
Updated: 2024-08-05T16:04:11.764Z

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet.

Published: 2017-06-27T13:00:00.000Z
Updated: 2024-08-05T16:04:11.917Z

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

Published: 2017-05-15T18:00:00.000Z
Updated: 2024-08-05T16:04:11.543Z

OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution.

Published: 2017-10-03T19:00:00.000Z
Updated: 2024-08-05T18:28:16.530Z

OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T01:29:18.449Z

The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher.

Published: 2013-11-15T18:16:00.000Z
Updated: 2024-08-06T15:20:37.491Z