OpenVPN, a popular open-source VPN solution, has patched multiple flaws in its recent releases that expose users to denial-of-service (DoS) attacks and security bypasses.
Versions 2.6.17 and 2.7_rc3, released on November 28, 2025, address issues including a local DoS on Windows systems and remote state exhaustion attacks stemming from faulty HMAC verification.
These vulnerabilities could disrupt VPN services critical for remote access, allowing attackers to crash services or spoof connections without proper authentication.
Attackers exploit these flaws through specific error triggers and logic errors in authentication handshakes.
The HMAC verification bug, tracked as CVE-2025-13086, mishandles memcmp checks during the three-way handshake, allowing invalid cookies to be accepted from any IP address.
This lets remote attackers create unauthorized TLS sessions, exhausting server resources in a DoS resembling distributed attacks if scaled.
Affected versions range from 2.6.0 to 2.6.15, and stricter time-slot validation now rejects future timestamps to prevent replay-like abuses.
CVE-2025-13751 targets the Windows interactive service in versions 2.6.0 through 2.6.16 and 2.7_alpha1 to 2.7_rc2.
Local authenticated users trigger an erroneous exit on specific errors, halting OpenVPN connections until restart or reboot.
Instead of logging in and continuing, the service crashes, enabling persistent local DoS by any logged-in user.
A heap buffer over-read, possibly CVE-2025-12106, affects IPv6 parsing in 2.7_alpha1 to 2.7_rc1, risking crashes or info leaks. CVSS scores vary: 5.5 (medium) for the Windows issue (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A: H), while HMAC flaws rate higher due to their remote reachability.
| CVE ID | Description | Affected Versions | CVSS v3.1 | Fixed In |
|---|---|---|---|---|
| CVE-2025-13751 | Windows service local DoS | 2.6.0–2.6.16, 2.7_a1–2.7_rc2 | 5.5 | 2.6.17, 2.7_rc3 |
| CVE-2025-13086 | HMAC bypass, remote state DoS | 2.6.0–2.6.15 | 7.5+ | 2.6.16/17, 2.7_rc3 |
| CVE-2025-12106 | IPv6 parsing buffer over-read | 2.7_a1–2.7_rc1 | 9.1 | 2.7_rc3 |
Administrators must upgrade to patched versions immediately, testing in staging first.
Disable interactive service on Windows if unused, and monitor logs for anomalous handshakes.
OpenVPN reports no active exploits, but multi-tenant servers face amplified risks from resource exhaustion. Reported by Lev Stipakov; fixes ensure error handling on continuous without exits.
These patches restore HMAC integrity checks and buffer bounds, bolstering VPN reliability.
Enterprises relying on OpenVPN for site-to-site or remote work should prioritize updates amid rising DoS threats. Full details are available in the release notes and GitHub issues.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…