OpenVPN, a popular open-source VPN solution, has patched multiple flaws in its recent releases that expose users to denial-of-service (DoS) attacks and security bypasses.
Versions 2.6.17 and 2.7_rc3, released on November 28, 2025, address issues including a local DoS on Windows systems and remote state exhaustion attacks stemming from faulty HMAC verification.
These vulnerabilities could disrupt VPN services critical for remote access, allowing attackers to crash services or spoof connections without proper authentication.
Attackers exploit these flaws through specific error triggers and logic errors in authentication handshakes.
The HMAC verification bug, tracked as CVE-2025-13086, mishandles memcmp checks during the three-way handshake, allowing invalid cookies to be accepted from any IP address.
This lets remote attackers create unauthorized TLS sessions, exhausting server resources in a DoS resembling distributed attacks if scaled.
Affected versions range from 2.6.0 to 2.6.15, and stricter time-slot validation now rejects future timestamps to prevent replay-like abuses.
Critical Vulnerabilities Breakdown
CVE-2025-13751 targets the Windows interactive service in versions 2.6.0 through 2.6.16 and 2.7_alpha1 to 2.7_rc2.
Local authenticated users trigger an erroneous exit on specific errors, halting OpenVPN connections until restart or reboot.
Instead of logging in and continuing, the service crashes, enabling persistent local DoS by any logged-in user.
A heap buffer over-read, possibly CVE-2025-12106, affects IPv6 parsing in 2.7_alpha1 to 2.7_rc1, risking crashes or info leaks. CVSS scores vary: 5.5 (medium) for the Windows issue (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A: H), while HMAC flaws rate higher due to their remote reachability.
| CVE ID | Description | Affected Versions | CVSS v3.1 | Fixed In |
|---|---|---|---|---|
| CVE-2025-13751 | Windows service local DoS | 2.6.0–2.6.16, 2.7_a1–2.7_rc2 | 5.5 | 2.6.17, 2.7_rc3 |
| CVE-2025-13086 | HMAC bypass, remote state DoS | 2.6.0–2.6.15 | 7.5+ | 2.6.16/17, 2.7_rc3 |
| CVE-2025-12106 | IPv6 parsing buffer over-read | 2.7_a1–2.7_rc1 | 9.1 | 2.7_rc3 |
Mitigation Steps
Administrators must upgrade to patched versions immediately, testing in staging first.
Disable interactive service on Windows if unused, and monitor logs for anomalous handshakes.
OpenVPN reports no active exploits, but multi-tenant servers face amplified risks from resource exhaustion. Reported by Lev Stipakov; fixes ensure error handling on continuous without exits.
These patches restore HMAC integrity checks and buffer bounds, bolstering VPN reliability.
Enterprises relying on OpenVPN for site-to-site or remote work should prioritize updates amid rising DoS threats. Full details are available in the release notes and GitHub issues.
){kind=link}