MidnightBSD

Advisories for openvpn

CVE-2005-2531 MEDIUM

OpenVPN before 2.0.1, when running with "verb 0" and without TLS authentication, does not properly flush the OpenSSL error queue when a client fails certificate authentication to the server and causes the error to be processed by the wrong client, which allows remote attackers to cause a denial of service (client disconnection) via a large number of failed authentication attempts.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
openvpn openvpn 2.0_rc17
openvpn openvpn 2.0_rc14
openvpn openvpn 2.0_test3
openvpn openvpn 2.0_test22
openvpn openvpn 2.0_test2
openvpn openvpn 2.0_rc16
openvpn openvpn 2.0_rc20
openvpn openvpn 2.0.1_rc7
openvpn openvpn 2.0_test16
openvpn openvpn 2.0_test6
openvpn openvpn 2.0_beta9
openvpn openvpn 2.0_rc7
openvpn openvpn 2.0_rc1
openvpn openvpn 2.0.1_rc2
openvpn openvpn 2.0_test27
openvpn openvpn 2.0
openvpn openvpn 2.0_test1
openvpn openvpn 2.0.1_rc5
openvpn openvpn 2.0_rc9
openvpn openvpn 2.0_test8
openvpn openvpn 2.0_test14
openvpn openvpn 2.0_test12
openvpn openvpn 2.0_test15
openvpn openvpn 2.0_rc3
openvpn openvpn 2.0_test21
openvpn openvpn 2.0_beta13
openvpn openvpn 2.0_test20
openvpn openvpn 2.0_rc8
openvpn openvpn 2.0_test26
openvpn openvpn 2.0_test5
openvpn openvpn 2.0_beta3
openvpn openvpn 2.0_rc6
openvpn openvpn 2.0_test23
openvpn openvpn 2.0_beta4
openvpn openvpn 2.0_test7
openvpn openvpn 2.0.1_rc1
openvpn openvpn 2.0_rc15
openvpn openvpn 2.0_rc4
openvpn openvpn 2.0_test11
openvpn openvpn 2.0_beta2
openvpn openvpn 2.0_beta11
openvpn openvpn 2.0_rc18
openvpn openvpn 2.0_beta15
openvpn openvpn 2.0_test17
openvpn openvpn 2.0_beta18
openvpn openvpn 2.0_test10
openvpn openvpn 2.0_beta10
openvpn openvpn 2.0.1_rc6
openvpn openvpn 2.0_rc12
openvpn openvpn 2.0_rc21
openvpn openvpn 2.0_test9
openvpn openvpn 2.0_beta28
openvpn openvpn 2.0_test29
openvpn openvpn 2.0_beta19
openvpn openvpn 2.0_test24
openvpn openvpn 2.0_beta6
openvpn openvpn 2.0_beta16
openvpn openvpn 2.0_beta5
openvpn openvpn 2.0.1_rc4
openvpn openvpn 2.0_test19
openvpn openvpn 2.0_beta7
openvpn openvpn 2.0_beta20
openvpn openvpn 2.0_rc10
openvpn openvpn 2.0_rc19
openvpn openvpn 2.0.1_rc3
openvpn openvpn 2.0_rc5
openvpn openvpn 2.0_test18
openvpn openvpn 2.0_beta1
openvpn openvpn 2.0_beta8
openvpn openvpn 2.0_beta17
openvpn openvpn 2.0_beta12
openvpn openvpn 2.0_rc11
openvpn openvpn 2.0_rc2
openvpn openvpn 2.0_rc13
CVE-2005-2532 MEDIUM

OpenVPN before 2.0.1 does not properly flush the OpenSSL error queue when a packet can not be decrypted by the server, which allows remote authenticated attackers to cause a denial of service (client disconnection) via a large number of packets that can not be decrypted.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
openvpn openvpn 2.0_rc17
openvpn openvpn 2.0_rc14
openvpn openvpn 2.0_test3
openvpn openvpn 2.0_test22
openvpn openvpn 2.0_test2
openvpn openvpn 2.0_rc16
openvpn openvpn 2.0_rc20
openvpn openvpn 2.0.1_rc7
openvpn openvpn 2.0_test16
openvpn openvpn 2.0_test6
openvpn openvpn 2.0_beta9
openvpn openvpn 2.0_rc7
openvpn openvpn 2.0_rc1
openvpn openvpn 2.0.1_rc2
openvpn openvpn 2.0_test27
openvpn openvpn 2.0
openvpn openvpn 2.0_test1
openvpn openvpn 2.0.1_rc5
openvpn openvpn 2.0_rc9
openvpn openvpn 2.0_test8
openvpn openvpn 2.0_test14
openvpn openvpn 2.0_test12
openvpn openvpn 2.0_test15
openvpn openvpn 2.0_rc3
openvpn openvpn 2.0_test21
openvpn openvpn 2.0_beta13
openvpn openvpn 2.0_test20
openvpn openvpn 2.0_rc8
openvpn openvpn 2.0_test26
openvpn openvpn 2.0_test5
openvpn openvpn 2.0_beta3
openvpn openvpn 2.0_rc6
openvpn openvpn 2.0_test23
openvpn openvpn 2.0_beta4
openvpn openvpn 2.0_test7
openvpn openvpn 2.0.1_rc1
openvpn openvpn 2.0_rc15
openvpn openvpn 2.0_rc4
openvpn openvpn 2.0_test11
openvpn openvpn 2.0_beta2
openvpn openvpn 2.0_beta11
openvpn openvpn 2.0_rc18
openvpn openvpn 2.0_beta15
openvpn openvpn 2.0_test17
openvpn openvpn 2.0_beta18
openvpn openvpn 2.0_test10
openvpn openvpn 2.0_beta10
openvpn openvpn 2.0.1_rc6
openvpn openvpn 2.0_rc12
openvpn openvpn 2.0_rc21
openvpn openvpn 2.0_test9
openvpn openvpn 2.0_beta28
openvpn openvpn 2.0_test29
openvpn openvpn 2.0_beta19
openvpn openvpn 2.0_test24
openvpn openvpn 2.0_beta6
openvpn openvpn 2.0_beta16
openvpn openvpn 2.0_beta5
openvpn openvpn 2.0.1_rc4
openvpn openvpn 2.0_test19
openvpn openvpn 2.0_beta7
openvpn openvpn 2.0_beta20
openvpn openvpn 2.0_rc10
openvpn openvpn 2.0_rc19
openvpn openvpn 2.0.1_rc3
openvpn openvpn 2.0_rc5
openvpn openvpn 2.0_test18
openvpn openvpn 2.0_beta1
openvpn openvpn 2.0_beta8
openvpn openvpn 2.0_beta17
openvpn openvpn 2.0_beta12
openvpn openvpn 2.0_rc11
openvpn openvpn 2.0_rc2
openvpn openvpn 2.0_rc13
CVE-2005-2533 LOW

OpenVPN before 2.0.1, when running in "dev tap" Ethernet bridging mode, allows remote authenticated clients to cause a denial of service (memory exhaustion) via a flood of packets with a large number of spoofed MAC addresses.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
openvpn openvpn 2.0_rc17
openvpn openvpn 2.0_rc14
openvpn openvpn 2.0_test3
openvpn openvpn 2.0_test22
openvpn openvpn 2.0_test2
openvpn openvpn 2.0_rc16
openvpn openvpn 2.0_rc20
openvpn openvpn 2.0.1_rc7
openvpn openvpn 2.0_test16
openvpn openvpn 2.0_test6
openvpn openvpn 2.0_beta9
openvpn openvpn 2.0_rc7
openvpn openvpn 2.0_rc1
openvpn openvpn 2.0.1_rc2
openvpn openvpn 2.0_test27
openvpn openvpn 2.0
openvpn openvpn 2.0_test1
openvpn openvpn 2.0.1_rc5
openvpn openvpn 2.0_rc9
openvpn openvpn 2.0_test8
openvpn openvpn 2.0_test14
openvpn openvpn 2.0_test12
openvpn openvpn 2.0_test15
openvpn openvpn 2.0_rc3
openvpn openvpn 2.0_test21
openvpn openvpn 2.0_beta13
openvpn openvpn 2.0_test20
openvpn openvpn 2.0_rc8
openvpn openvpn 2.0_test26
openvpn openvpn 2.0_test5
openvpn openvpn 2.0_beta3
openvpn openvpn 2.0_rc6
openvpn openvpn 2.0_test23
openvpn openvpn 2.0_beta4
openvpn openvpn 2.0_test7
openvpn openvpn 2.0.1_rc1
openvpn openvpn 2.0_rc15
openvpn openvpn 2.0_rc4
openvpn openvpn 2.0_test11
openvpn openvpn 2.0_beta2
openvpn openvpn 2.0_beta11
openvpn openvpn 2.0_rc18
openvpn openvpn 2.0_beta15
openvpn openvpn 2.0_test17
openvpn openvpn 2.0_beta18
openvpn openvpn 2.0_test10
openvpn openvpn 2.0_beta10
openvpn openvpn 2.0.1_rc6
openvpn openvpn 2.0_rc12
openvpn openvpn 2.0_rc21
openvpn openvpn 2.0_test9
openvpn openvpn 2.0_beta28
openvpn openvpn 2.0_test29
openvpn openvpn 2.0_beta19
openvpn openvpn 2.0_test24
openvpn openvpn 2.0_beta6
openvpn openvpn 2.0_beta16
openvpn openvpn 2.0_beta5
openvpn openvpn 2.0.1_rc4
openvpn openvpn 2.0_test19
openvpn openvpn 2.0_beta7
openvpn openvpn 2.0_beta20
openvpn openvpn 2.0_rc10
openvpn openvpn 2.0_rc19
openvpn openvpn 2.0.1_rc3
openvpn openvpn 2.0_rc5
openvpn openvpn 2.0_test18
openvpn openvpn 2.0_beta1
openvpn openvpn 2.0_beta8
openvpn openvpn 2.0_beta17
openvpn openvpn 2.0_beta12
openvpn openvpn 2.0_rc11
openvpn openvpn 2.0_rc2
openvpn openvpn 2.0_rc13
CVE-2005-2534 LOW

Race condition in OpenVPN before 2.0.1, when --duplicate-cn is not enabled, allows remote attackers to cause a denial of service (server crash) via simultaneous TCP connections from multiple clients that use the same client certificate.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
openvpn openvpn 2.0_rc17
openvpn openvpn 2.0_rc14
openvpn openvpn 2.0_test3
openvpn openvpn 2.0_test22
openvpn openvpn 2.0_test2
openvpn openvpn 2.0_rc16
openvpn openvpn 2.0_rc20
openvpn openvpn 2.0.1_rc7
openvpn openvpn 2.0_test16
openvpn openvpn 2.0_test6
openvpn openvpn 2.0_beta9
openvpn openvpn 2.0_rc7
openvpn openvpn 2.0_rc1
openvpn openvpn 2.0.1_rc2
openvpn openvpn 2.0_test27
openvpn openvpn 2.0
openvpn openvpn 2.0_test1
openvpn openvpn 2.0.1_rc5
openvpn openvpn 2.0_rc9
openvpn openvpn 2.0_test8
openvpn openvpn 2.0_test14
openvpn openvpn 2.0_test12
openvpn openvpn 2.0_test15
openvpn openvpn 2.0_rc3
openvpn openvpn 2.0_test21
openvpn openvpn 2.0_beta13
openvpn openvpn 2.0_test20
openvpn openvpn 2.0_rc8
openvpn openvpn 2.0_test26
openvpn openvpn 2.0_test5
openvpn openvpn 2.0_beta3
openvpn openvpn 2.0_rc6
openvpn openvpn 2.0_test23
openvpn openvpn 2.0_beta4
openvpn openvpn 2.0_test7
openvpn openvpn 2.0.1_rc1
openvpn openvpn 2.0_rc15
openvpn openvpn 2.0_rc4
openvpn openvpn 2.0_test11
openvpn openvpn 2.0_beta2
openvpn openvpn 2.0_beta11
openvpn openvpn 2.0_rc18
openvpn openvpn 2.0_beta15
openvpn openvpn 2.0_test17
openvpn openvpn 2.0_beta18
openvpn openvpn 2.0_test10
openvpn openvpn 2.0_beta10
openvpn openvpn 2.0.1_rc6
openvpn openvpn 2.0_rc12
openvpn openvpn 2.0_rc21
openvpn openvpn 2.0_test9
openvpn openvpn 2.0_beta28
openvpn openvpn 2.0_test29
openvpn openvpn 2.0_beta19
openvpn openvpn 2.0_test24
openvpn openvpn 2.0_beta6
openvpn openvpn 2.0_beta16
openvpn openvpn 2.0_beta5
openvpn openvpn 2.0.1_rc4
openvpn openvpn 2.0_test19
openvpn openvpn 2.0_beta7
openvpn openvpn 2.0_beta20
openvpn openvpn 2.0_rc10
openvpn openvpn 2.0_rc19
openvpn openvpn 2.0.1_rc3
openvpn openvpn 2.0_rc5
openvpn openvpn 2.0_test18
openvpn openvpn 2.0_beta1
openvpn openvpn 2.0_beta8
openvpn openvpn 2.0_beta17
openvpn openvpn 2.0_beta12
openvpn openvpn 2.0_rc11
openvpn openvpn 2.0_rc2
openvpn openvpn 2.0_rc13
CVE-2005-3393 HIGH

Format string vulnerability in the foreign_option function in options.c for OpenVPN 2.0.x allows remote clients to execute arbitrary code via format string specifiers in a push of the dhcp-option command option.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
openvpn openvpn_access_server 2.0.2
openvpn openvpn 2.0_beta11
openvpn openvpn_access_server 2.0.1
openvpn openvpn 2.0
CVE-2005-3409 MEDIUM

OpenVPN 2.x before 2.0.4, when running in TCP mode, allows remote attackers to cause a denial of service (segmentation fault) by forcing the accept function call to return an error status, which leads to a null dereference in an exception handler.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
openvpn openvpn 2.0_rc17
openvpn openvpn 2.0.2_rc1
openvpn openvpn 2.0_rc14
openvpn openvpn 2.0_test3
openvpn openvpn 2.0_test22
openvpn openvpn 2.0_test2
openvpn openvpn 2.0_rc16
openvpn openvpn 2.0_rc20
openvpn openvpn 2.0.1_rc7
openvpn openvpn 2.0_test16
openvpn openvpn 2.0_test6
openvpn openvpn 2.0_beta9
openvpn openvpn 2.0_rc7
openvpn openvpn 2.0_rc1
openvpn openvpn 2.0.1_rc2
openvpn openvpn 2.0_test27
openvpn openvpn 2.0
openvpn openvpn 2.0_test1
openvpn openvpn 2.0.1_rc5
openvpn openvpn 2.0_rc9
openvpn openvpn 2.0_test8
openvpn openvpn 2.0_test14
openvpn openvpn 2.0_test12
openvpn openvpn 2.0_test15
openvpn openvpn 2.0_rc3
openvpn openvpn 2.0_test21
openvpn openvpn 2.0_beta13
openvpn openvpn 2.0_test20
openvpn openvpn 2.0_rc8
openvpn openvpn 2.0_test26
openvpn openvpn 2.0_test5
openvpn openvpn 2.0_beta3
openvpn openvpn_access_server 2.0.2
openvpn openvpn 2.0_rc6
openvpn openvpn 2.0_test23
openvpn openvpn 2.0_beta4
openvpn openvpn 2.0_test7
openvpn openvpn 2.0.1_rc1
openvpn openvpn 2.0_rc15
openvpn openvpn 2.0_rc4
openvpn openvpn 2.0_test11
openvpn openvpn 2.0_beta2
openvpn openvpn 2.0_beta11
openvpn openvpn 2.0_rc18
openvpn openvpn 2.0_beta15
openvpn openvpn 2.0_test17
openvpn openvpn 2.0_beta18
openvpn openvpn 2.0.3_rc1
openvpn openvpn 2.0_test10
openvpn openvpn 2.0_beta10
openvpn openvpn 2.0.1_rc6
openvpn openvpn 2.0_rc12
openvpn openvpn 2.0_rc21
openvpn openvpn 2.0_test9
openvpn openvpn 2.0_beta28
openvpn openvpn 2.0_test29
openvpn openvpn 2.0_beta19
openvpn openvpn 2.0_test24
openvpn openvpn 2.0_beta6
openvpn openvpn 2.0_beta16
openvpn openvpn 2.0_beta5
openvpn openvpn 2.0.1_rc4
openvpn openvpn 2.0_test19
openvpn openvpn 2.0_beta7
openvpn openvpn 2.0_beta20
openvpn openvpn 2.0_rc10
openvpn openvpn 2.0_rc19
openvpn openvpn_access_server 2.0.1
openvpn openvpn 2.0.1_rc3
openvpn openvpn 2.0_rc5
openvpn openvpn 2.0_test18
openvpn openvpn 2.0_beta1
openvpn openvpn 2.0_beta8
openvpn openvpn 2.0_beta17
openvpn openvpn 2.0_beta12
openvpn openvpn 2.0_rc11
openvpn openvpn 2.0_rc2
openvpn openvpn 2.0_rc13
CVE-2006-1629 HIGH

OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
openvpn openvpn_access_server 2.0.2
openvpn openvpn 2.0.4
openvpn openvpn_access_server 2.0.3
openvpn openvpn_access_server 2.0.5
openvpn openvpn_access_server 2.0.1
openvpn openvpn 2.0
CVE-2006-2229 MEDIUM

OpenVPN 2.0.7 and earlier, when configured to use the --management option with an IP that is not 127.0.0.1, uses a cleartext password for TCP sessions to the management interface, which might allow remote attackers to view sensitive information or cause a denial of service.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
openvpn openvpn 2.0_rc17
openvpn openvpn 2.0.2_rc1
openvpn openvpn 2.0_rc14
openvpn openvpn 2.0_test3
openvpn openvpn 2.0_test25
openvpn openvpn 2.0_test22
openvpn openvpn 2.0_test2
openvpn openvpn 2.0_rc16
openvpn openvpn 2.0_rc20
openvpn openvpn 2.0.1_rc7
openvpn openvpn 2.0_test16
openvpn openvpn 2.0_test6
openvpn openvpn 2.0_beta9
openvpn openvpn 2.0_rc7
openvpn openvpn 2.0_rc1
openvpn openvpn 2.0.1_rc2
openvpn openvpn 2.0_test4
openvpn openvpn 2.0_test27
openvpn openvpn 2.0
openvpn openvpn 2.0_test1
openvpn openvpn 2.0.1_rc5
openvpn openvpn 2.0_rc9
openvpn openvpn 2.0_test8
openvpn openvpn 2.0_test14
openvpn openvpn 2.0.4
openvpn openvpn 2.0_test12
openvpn openvpn 2.0_test15
openvpn openvpn 2.0_rc3
openvpn openvpn 2.0_test21
openvpn openvpn 2.0_beta13
openvpn openvpn 2.0_test20
openvpn openvpn 2.0_rc8
openvpn openvpn 2.0_test26
openvpn openvpn 2.0_test5
openvpn openvpn 2.0_beta3
openvpn openvpn_access_server 2.0.2
openvpn openvpn 2.0_rc6
openvpn openvpn 2.0_test23
openvpn openvpn 2.0_beta4
openvpn openvpn 2.0_test7
openvpn openvpn 2.0.1_rc1
openvpn openvpn 2.0_rc15
openvpn openvpn 2.0_rc4
openvpn openvpn 2.0_test11
openvpn openvpn 2.0_beta2
openvpn openvpn 2.0_beta11
openvpn openvpn 2.0_rc18
openvpn openvpn 2.0_beta15
openvpn openvpn 2.0_test17
openvpn openvpn 2.0_beta18
openvpn openvpn 2.0.3_rc1
openvpn openvpn 2.0_test10
openvpn openvpn_access_server 2.0.7
openvpn openvpn 2.0_beta10
openvpn openvpn 2.0.1_rc6
openvpn openvpn 2.0_rc12
openvpn openvpn 2.0_rc21
openvpn openvpn 2.0_test9
openvpn openvpn 2.0_beta28
openvpn openvpn 2.0_test29
openvpn openvpn 2.0_beta19
openvpn openvpn 2.0_test24
openvpn openvpn 2.0_beta6
openvpn openvpn 2.0_beta16
openvpn openvpn 2.0_beta5
openvpn openvpn 2.0.1_rc4
openvpn openvpn 2.0_test19
openvpn openvpn 2.0_beta7
openvpn openvpn 2.0_beta20
openvpn openvpn 2.0_rc10
openvpn openvpn 2.0_rc19
openvpn openvpn_access_server 2.0.1
openvpn openvpn 2.0.1_rc3
openvpn openvpn_access_server 2.0.6
openvpn openvpn 2.0_rc5
openvpn openvpn 2.0_test18
openvpn openvpn 2.0_beta1
openvpn openvpn 2.0_beta8
openvpn openvpn 2.0_beta17
openvpn openvpn 2.0_beta12
openvpn openvpn 2.0_rc11
openvpn openvpn_access_server 2.0.5
openvpn openvpn 2.0.6_rc1
openvpn openvpn 2.0_rc2
openvpn openvpn 2.0_rc13
CVE-2013-2061 LOW

The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
openvpn openvpn 1.3.0
openvpn openvpn 1.4.3
openvpn openvpn 2.1.0
openvpn openvpn 1.3.1
openvpn openvpn 1.4.0
openvpn openvpn 2.2.0
opensuse opensuse 11.4
openvpn openvpn 1.2.0
openvpn openvpn 1.2.1
openvpn openvpn 1.5.0
openvpn openvpn 1.3.2
openvpn openvpn 1.6.0
openvpn openvpn *
openvpn openvpn 1.4.2
openvpn openvpn 1.4.1
openvpn openvpn_access_server 2.0.0
CVE-2013-2692 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Admin web interface in OpenVPN Access Server before 1.8.5 allows remote attackers to hijack the authentication of administrators for requests that create administrative users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
openvpn openvpn_access_server *
CVE-2014-5455 MEDIUM

Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-428,

Products Affected

Vendor Product Version
openvpn openvpn 2.1.28.0
privatetunnel privatetunnel 2.3.8
CVE-2014-8104 MEDIUM

OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
openvpn openvpn 2.0_rc17
openvpn openvpn 2.0_rc14
openvpn openvpn 2.1.0
openvpn openvpn 2.1.2
openvpn openvpn_access_server 2.0.8
openvpn openvpn 2.1.4
openvpn openvpn 2.0_rc1
openvpn openvpn 2.0.1_rc2
openvpn openvpn 2.0_test27
openvpn openvpn 2.0.9
openvpn openvpn 2.3.4
openvpn openvpn 2.0_test12
openvpn openvpn 2.0_test20
openvpn openvpn 2.0_test26
openvpn openvpn_access_server 2.0.2
openvpn openvpn_access_server 2.0.3
openvpn openvpn 2.0_rc6
openvpn openvpn 2.0_test23
openvpn openvpn 2.0_test7
openvpn openvpn_access_server 2.0.0
openvpn openvpn 2.0_rc15
openvpn openvpn 2.0_test11
openvpn openvpn 2.3.1
opensuse opensuse 13.2
openvpn openvpn 2.0_test17
openvpn openvpn_access_server 2.0.7
debian debian_linux 8.0
openvpn openvpn 2.2.2
openvpn openvpn 2.0_rc12
openvpn openvpn 2.0_rc21
openvpn openvpn 2.0_test29
opensuse opensuse 13.1
openvpn openvpn 2.0_rc10
openvpn openvpn 2.0_rc19
openvpn openvpn 2.0_test28
openvpn openvpn_access_server 2.0.1
openvpn openvpn 2.2.0
openvpn openvpn_access_server 2.0.6
openvpn openvpn 2.3.3
openvpn openvpn 2.1
openvpn openvpn 2.0_test18
openvpn openvpn 2.1.3
openvpn openvpn 2.0_rc11
openvpn openvpn_access_server 2.0.5
openvpn openvpn 2.0_rc2
openvpn openvpn 2.0_rc13
openvpn openvpn 2.0.2_rc1
openvpn openvpn 2.0_test3
openvpn openvpn 2.0_test25
openvpn openvpn 2.0_test22
openvpn openvpn 2.0_test2
openvpn openvpn 2.3
openvpn openvpn 2.0_rc16
openvpn openvpn 2.0_rc20
openvpn openvpn 2.0.1_rc7
openvpn openvpn 2.0_test16
openvpn openvpn 2.0_test6
openvpn openvpn 2.0_rc7
openvpn openvpn 2.1.1
openvpn openvpn 2.3.2
openvpn openvpn 2.0_test4
openvpn openvpn 2.0_test1
openvpn openvpn 2.0.1_rc5
openvpn openvpn 2.0_rc9
openvpn openvpn 2.0_test8
openvpn openvpn 2.2.1
openvpn openvpn 2.3.5
openvpn openvpn 2.0_test14
openvpn openvpn 2.0.4
openvpn openvpn 2.0_test15
openvpn openvpn 2.0_rc3
openvpn openvpn 2.0_test21
openvpn openvpn 2.0_rc8
mageia mageia 4.0
openvpn openvpn 2.0_test5
openvpn openvpn 2.0.1_rc1
canonical ubuntu_linux 12.04
debian debian_linux 7.0
openvpn openvpn 2.0_rc4
openvpn openvpn 2.0_rc18
openvpn openvpn_access_server 2.0.10
openvpn openvpn 2.0.3_rc1
openvpn openvpn 2.0_test10
openvpn openvpn 2.0.1_rc6
openvpn openvpn 2.0_test9
openvpn openvpn 2.0_test24
opensuse opensuse 12.3
openvpn openvpn 2.0.1_rc4
openvpn openvpn 2.0_test19
openvpn openvpn 2.2
openvpn openvpn 2.0.1_rc3
openvpn openvpn 2.0_rc5
canonical ubuntu_linux 14.10
canonical ubuntu_linux 14.04
openvpn openvpn 2.3.0
openvpn openvpn 2.0.6_rc1
CVE-2014-9104 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) disconnecting established VPN sessions, (2) connect to arbitrary VPN servers, or (3) create VPN profiles and execute arbitrary commands via crafted API requests.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
openvpn openvpn_access_server *
CVE-2016-6329 MEDIUM

OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-310,

Products Affected

Vendor Product Version
openvpn openvpn *
CVE-2017-12166 MEDIUM

OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 9.0
openvpn openvpn *
CVE-2017-5868 MEDIUM

CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-93,

Products Affected

Vendor Product Version
openvpn openvpn_access_server 2.1.4
CVE-2017-7478 MEDIUM

OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet. Note that this issue is fixed in 2.3.15 and 2.4.2.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,CWE-20,

Products Affected

Vendor Product Version
openvpn openvpn 2.3.12
openvpn openvpn 2.3.13
openvpn openvpn 2.4.0
openvpn openvpn 2.4.1
openvpn openvpn 2.3.14
CVE-2017-7479 MEDIUM

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,CWE-617,

Products Affected

Vendor Product Version
openvpn openvpn 2.4.0
openvpn openvpn 2.4.1
openvpn openvpn *
CVE-2017-7508 MEDIUM

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
openvpn openvpn 2.4.2
openvpn openvpn 2.4.0
openvpn openvpn 2.4.1
openvpn openvpn *
CVE-2017-7520 MEDIUM

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-125,

Products Affected

Vendor Product Version
openvpn openvpn 2.4.2
openvpn openvpn 2.4.0
openvpn openvpn 2.4.1
openvpn openvpn *
CVE-2017-7521 MEDIUM

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension().

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-415,CWE-772,

Products Affected

Vendor Product Version
openvpn openvpn 2.4.2
openvpn openvpn 2.4.0
openvpn openvpn 2.4.1
openvpn openvpn *
CVE-2017-7522 MEDIUM

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-476,

Products Affected

Vendor Product Version
openvpn openvpn 2.4.2
openvpn openvpn 2.4.0
openvpn openvpn 2.4.1
openvpn openvpn *
CVE-2018-7544 MEDIUM

A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands, obtain sensitive information, or cause a denial of service (SIGTERM) by triggering XMLHttpRequest actions in a web browser. This is demonstrated by a multipart/form-data POST to http://localhost:23000 with a "signal SIGTERM" command in a TEXTAREA element. NOTE: The vendor disputes that this is a vulnerability. They state that this is the result of improper configuration of the OpenVPN instance rather than an intrinsic vulnerability, and now more explicitly warn against such configurations in both the management-interface documentation, and with a runtime warning

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-134,

Products Affected

Vendor Product Version
openvpn openvpn *
CVE-2018-9336 MEDIUM

openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a double-free of memory by sending a malformed request to the interactive service. This could cause a denial-of-service through memory corruption or possibly have unspecified other impact including privilege escalation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-415,

Products Affected

Vendor Product Version
slackware slackware_linux 14.0
slackware slackware_linux 13.1
slackware slackware_linux 13.0
openvpn openvpn *
slackware slackware_linux 13.37
slackware slackware_linux 14.1
CVE-2020-11462 MEDIUM

An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-776,

Products Affected

Vendor Product Version
openvpn openvpn_access_server *
CVE-2020-11810 MEDIUM

An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 8.0
debian debian_linux 9.0
debian debian_linux 10.0
fedoraproject fedora 30
fedoraproject fedora 32
openvpn openvpn *
CVE-2020-15074 MEDIUM

OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-302,CWE-613,

Products Affected

Vendor Product Version
openvpn openvpn_access_server *
CVE-2020-15075 LOW

OpenVPN Connect installer for macOS version 3.2.6 and older may corrupt system critical files it should not have access via symlinks in /tmp.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-61,CWE-59,

Products Affected

Vendor Product Version
openvpn connect *
CVE-2020-15076 HIGH

Private Tunnel installer for macOS version 3.0.1 and older versions may corrupt system critical files it should not have access via symlinks in /tmp.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-61,CWE-59,

Products Affected

Vendor Product Version
openvpn private_tunnel *
CVE-2020-15077 LOW

OpenVPN Access Server 2.8.7 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-305,CWE-287,

Products Affected

Vendor Product Version
openvpn openvpn_access_server *
CVE-2020-15078 MEDIUM

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-305,CWE-306,

Products Affected

Vendor Product Version
debian debian_linux 9.0
canonical ubuntu_linux 18.04
fedoraproject fedora 33
canonical ubuntu_linux 20.04
canonical ubuntu_linux 21.04
fedoraproject fedora 32
canonical ubuntu_linux 20.10
openvpn openvpn *
fedoraproject fedora 34
CVE-2020-20813

Control Channel in OpenVPN 2.4.7 and earlier allows remote attackers to cause a denial of service via crafted reset packet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
openvpn openvpn *
CVE-2020-36382 MEDIUM

OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigger an assert during the user authentication phase via incorrect authentication token data in an early phase of the user authentication resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-754,CWE-617,

Products Affected

Vendor Product Version
openvpn openvpn_access_server *
CVE-2020-8953 HIGH

OpenVPN Access Server 2.8.x before 2.8.1 allows LDAP authentication bypass (except when a user is enrolled in two-factor authentication).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
openvpn openvpn_access_server *
CVE-2020-9442 HIGH

OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-281,

Products Affected

Vendor Product Version
openvpn connect *
CVE-2021-3547 MEDIUM

OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in the verify-x509-name option in a client configuration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-305,CWE-295,

Products Affected

Vendor Product Version
openvpn openvpn 3.6.1
openvpn openvpn 3.6
CVE-2021-3606 MEDIUM

OpenVPN before version 2.5.3 on Windows allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (openvpn.exe).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,CWE-427,

Products Affected

Vendor Product Version
openvpn openvpn *
CVE-2021-3613 MEDIUM

OpenVPN Connect 3.2.0 through 3.3.0 allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (OpenVPNConnect.exe).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,CWE-427,

Products Affected

Vendor Product Version
openvpn connect *
CVE-2021-3824 MEDIUM

OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to inject arbitrary web script or HTML via the web login page URL.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-84,CWE-79,

Products Affected

Vendor Product Version
openvpn openvpn_access_server *
CVE-2021-4234 MEDIUM

OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-406,NVD-CWE-Other,

Products Affected

Vendor Product Version
openvpn openvpn_access_server *
CVE-2022-0547 HIGH

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-305,CWE-287,

Products Affected

Vendor Product Version
debian debian_linux 9.0
fedoraproject fedora 36
openvpn openvpn *
fedoraproject fedora 34
CVE-2022-33737 MEDIUM

The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may contain a random generated admin password

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-708,CWE-532,

Products Affected

Vendor Product Version
openvpn openvpn_access_server *
CVE-2022-33738 MEDIUM

OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-331,CWE-338,

Products Affected

Vendor Product Version
openvpn openvpn_access_server *
CVE-2022-3761

OpenVPN Connect versions before 3.4.0.4506 (macOS) and OpenVPN Connect before 3.4.0.3100 (Windows) allows man-in-the-middle attackers to intercept configuration profile download requests which contains the users credentials

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

Products Affected

Vendor Product Version
openvpn connect *
CVE-2023-46849

Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
debian debian_linux 12.0
fedoraproject fedora 39
openvpn openvpn_access_server 2.12.0
openvpn openvpn_access_server *
openvpn openvpn_access_server 2.12.1
openvpn openvpn *
CVE-2023-46850

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
debian debian_linux 12.0
fedoraproject fedora 39
openvpn openvpn_access_server *
openvpn openvpn *
CVE-2023-6247

The PKCS#7 parser in OpenVPN 3 Core Library versions through 3.8.3 did not properly validate the parsed data, which would result in the application crashing.

Products Affected

Vendor Product Version
openvpn openvpn_3 *
CVE-2023-7224

OpenVPN Connect version 3.0 through 3.4.6 on macOS allows local users to execute code in external third party libraries using the DYLD_INSERT_LIBRARIES environment variable

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
openvpn connect *
CVE-2023-7235

The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to replace binaries to run arbitrary executables.

Products Affected

Vendor Product Version
openvpn openvpn_gui *
CVE-2024-1305

tap-windows6 driver version 9.26 and earlier does not properly check the size data of incomming write operations which an attacker can use to overflow memory buffers, resulting in a bug check and potentially arbitrary code execution in kernel space

Products Affected

Vendor Product Version
openvpn tap-windows6 *
CVE-2024-13454

Weak encryption algorithm in Easy-RSA version 3.0.5 through 3.1.7 allows a local attacker to more easily bruteforce the private CA key when created using OpenSSL 3

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 1.8 3.4

Products Affected

Vendor Product Version
openvpn easy-rsa *
CVE-2024-24974

The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.

Products Affected

Vendor Product Version
openvpn openvpn *
CVE-2024-27459

The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.

Products Affected

Vendor Product Version
openvpn openvpn *
CVE-2024-27903

OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.

Products Affected

Vendor Product Version
openvpn openvpn *
CVE-2024-28882

OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session

Products Affected

Vendor Product Version
openvpn openvpn *
CVE-2024-4877

OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privileged process to create a named pipe which the OpenVPN GUI component would connect to allowing it to escalate its privileges

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
openvpn openvpn *
CVE-2024-5198

OpenVPN ovpn-dco for Windows version 1.1.1 allows an unprivileged local attacker to send I/O control messages with invalid data to the driver resulting in a NULL pointer dereference leading to a system halt.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 1.8 1.4

Products Affected

Vendor Product Version
openvpn ovpn-dco-win 1.1.1
CVE-2024-5594

OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
openvpn openvpn *
CVE-2024-8474

OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
openvpn connect *
CVE-2025-12106

Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

Products Affected

Vendor Product Version
openvpn openvpn 2.6.13
openvpn openvpn 2.7
CVE-2025-13086

Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client

Products Affected

Vendor Product Version
openvpn openvpn 2.7
openvpn openvpn *
CVE-2025-13751

Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.

Products Affected

Vendor Product Version
openvpn openvpn 2.7
openvpn openvpn *
CVE-2025-2704

OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
openvpn openvpn *
CVE-2025-3908

The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary directory which will change the ownership and permissions of that destination directory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.5 3.6

Products Affected

Vendor Product Version
openvpn openvpn3linux *
CVE-2025-50054

Buffer overflow in OpenVPN ovpn-dco-win version 1.3.0 and earlier and version 2.5.8 and earlier allows a local user process to send a too large control message buffer to the kernel driver resulting in a system crash

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
openvpn ovpn-dco-win *