OpenVPN, a popular open-source VPN software, has rolled out an update to address a major vulnerability that could crash server and potentially allow remote code execution in certain situations. The flaw, tracked as CVE-2025-2704, affects OpenVPN servers when configured with specific settings and OpenVPN clients are unaffected. The issue has been fixed in the latest release, OpenVPN 2.6.14.
Why it matters
CVE-2025-2704 could allow an attacker with a valid tls-crypt-v2 client key by sending a mix of authenticated and malformed packets to the server. This could trigger an ASSERT() message and crash the server. Although this flaw doesn’t compromise data or leak information, it poses a denial-of-service(DoS) risk.
| Product | Version | Impact |
|---|---|---|
| OpenVPN Server | 2.6.1 to 2.6.13 | Potential server crash from malformed packets |
| OpenVPN Server (tls-crypt-v2) | 2.6.1 to 2.6.13 | Risk of denial-of-service attack |
| OpenVPN Client | All versions | Not affected |
Conclusion
OpenVPN stated that version 2.6.14 addresses the bug by properly handling malformed packets. Apart from fixing the issue, the update brings improvements such as Linux DCO enhancements for better IP selection when using –multihome, and updates to the Windows MSI installer. The new version also integrates OpenSSL 3.4.1 for improved security.
Follow us on X and Linkedin for the latest cybersecurity news
