OpenVPN Open source VPN

By the Year

In 2025 there have been 12 vulnerabilities in OpenVPN with an average score of 8.2 out of ten. Last year, in 2024 OpenVPN had 7 security vulnerabilities published. That is, 5 more vulnerabilities have already been reported in 2025 as compared to last year. Last year, the average CVE base score was greater by 0.05

Recent OpenVPN Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-13086	Dec 03, 2025	OpenVPN 2.6.02.7_rc1 IP Source Validation Bypass (DoS) Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client	Openvpn
CVE-2025-13751	Dec 03, 2025	OpenVPN 2.5.0-2.7_rc2 LDoS via Interactive Service Agent on Windows Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.	Openvpn
CVE-2025-12106	Dec 01, 2025	OpenVPN 2.7_alpha1-rc1 IP Address Parsing Heap Over-Read Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses	Openvpn
CVE-2025-50055	Oct 27, 2025	OpenVPN Access Server 2.14.x SAML XSS via RelayState in Auth Cross-site scripting (XSS) vulnerability in the SAML Authentication module in OpenVPN Access Server version 2.14.0 through 2.14.3 allows configured remote SAML Assertion Consumer Service (ACS) endpoint servers to inject arbitrary web script or HTML via the RelayState parameter	Access Server
CVE-2025-10680	Oct 24, 2025	OpenVPN 2.7_alpha1-beta1 DNS Variable Shell Injection OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use	Openvpn
CVE-2025-50054	Jun 20, 2025	Buffer overflow in OpenVPN ovpn-dco-win <=1.3.0/<=2.5.8 causes local crash Buffer overflow in OpenVPN ovpn-dco-win version 1.3.0 and earlier and version 2.5.8 and earlier allows a local user process to send a too large control message buffer to the kernel driver resulting in a system crash	Openvpn
CVE-2025-3908	May 19, 2025	OpenVPN 3 Linux v20-v24: Local Symlink Ownership Escalation The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary directory which will change the ownership and permissions of that destination directory.	Openvpn3linux
CVE-2024-4877	Apr 03, 2025	Privilege Escalation via Named Pipe in OpenVPN GUI 2.4.0–2.6.10 Windows OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privileged process to create a named pipe which the OpenVPN GUI component would connect to allowing it to escalate its privileges	Openvpn
CVE-2025-2704	Apr 02, 2025	OpenVPN 2.6.1-2.6.13 TLS-crypt-v2: Early Handshake Packet Replay DoS OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase	Openvpn
CVE-2024-5198	Jan 15, 2025	OpenVPN 1.1.1 local: OVPN-DC driver NULL deref crash OpenVPN ovpn-dco for Windows version 1.1.1 allows an unprivileged local attacker to send I/O control messages with invalid data to the driver resulting in a NULL pointer dereference leading to a system halt.	Ovpn Dco Win Openvpn
CVE-2024-8474	Jan 06, 2025	OpenVPN Connect <3.5.0: Config Profile Private Key leaked in logs OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic	Connect
CVE-2024-5594	Jan 06, 2025	OpenVPN <2.6.11 PushReply Sanitization Flaw Enables Log Injection OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs.	Openvpn
CVE-2024-28882	Jul 08, 2024	OpenVPN 2.6.0-2.6.10: Authenticated Clients Extend Session via Exit Msg OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session	Openvpn
CVE-2024-24974	Jul 08, 2024	OpenVPN <=2.6.9 Remote Interactive Service Access (CVE-2024-24974) The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.	Openvpn
CVE-2024-27459	Jul 08, 2024	OpenVPN 2.6.9 Interactive Service Stack Overflow Privilege Escalation The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.	Openvpn
CVE-2024-27903	Jul 08, 2024	OpenVPN 2.6.9 Windows Plugin Directory Traversal Arbitrary PLG Exec OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.	Openvpn
CVE-2023-7235	Feb 21, 2024	OpenVPN GUI pre-2.6.9 ACL flaw allows binary tampering The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to replace binaries to run arbitrary executables.	Openvpn Gui
CVE-2023-7245	Feb 20, 2024	OpenVPN Connect 3.03.4.3 Node.js LPE via ELECTRON_RUN_AS_NODE The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable	Connect
CVE-2023-7224	Jan 08, 2024	OpenVPN Connect v3.0-3.4.6 MacOS LCE via DYLD_INSERT_LIBRARIES OpenVPN Connect version 3.0 through 3.4.6 on macOS allows local users to execute code in external third party libraries using the DYLD_INSERT_LIBRARIES environment variable	Connect
CVE-2023-46849	Nov 11, 2023	OpenVPN 2.6.x DoS via Divide-by-zero on --fragment Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.	Openvpn Openvpn Access Server
CVE-2023-46850	Nov 11, 2023	OpenVPN 2.6.0-2.6.6 UAF in Network Buffer -> Remote Exec Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.	Openvpn Openvpn Access Server
CVE-2022-3761	Oct 17, 2023	OpenVPN Connect <3.4.0 MI-MITM Credential Leakage OpenVPN Connect versions before 3.4.0.4506 (macOS) and OpenVPN Connect before 3.4.0.3100 (Windows) allows man-in-the-middle attackers to intercept configuration profile download requests which contains the users credentials	Connect
CVE-2020-20813	Aug 22, 2023	OpenVPN 2.4.7 Control Chan CVE-2020-20813 - DOS via reset pkt Control Channel in OpenVPN 2.4.7 and earlier allows remote attackers to cause a denial of service via crafted reset packet.	Openvpn
CVE-2021-4234	Jul 06, 2022	OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack.	Openvpn Access Server
CVE-2022-33737	Jul 06, 2022	The OpenVPN Access Server installer creates a log file readable for everyone, which The OpenVPN Access Server installer creates a log file readable for everyone, which from version 2.10.0 and before 2.11.0 may contain a random generated admin password	Openvpn Access Server
CVE-2022-33738	Jul 06, 2022	OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal	Openvpn Access Server
CVE-2022-0547	Mar 18, 2022	OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.	Openvpn
CVE-2021-3824	Sep 23, 2021	OpenVPN Access Server 2.9.0 through 2.9.4 OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to inject arbitrary web script or HTML via the web login page URL.	Openvpn Access Server
CVE-2021-3547	Jul 12, 2021	OpenVPN 3 Core Library version 3.6 and 3.6.1 OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in the verify-x509-name option in a client configuration.	Openvpn
CVE-2021-3613	Jul 02, 2021	OpenVPN Connect 3.2.0 through 3.3.0 OpenVPN Connect 3.2.0 through 3.3.0 allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (OpenVPNConnect.exe).	Connect
CVE-2020-15077	Jun 04, 2021	OpenVPN Access Server 2.8.7 and earlier versions OpenVPN Access Server 2.8.7 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.	Openvpn Access Server
CVE-2020-36382	Jun 04, 2021	OpenVPN Access Server 2.7.3 to 2.8.7 OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigger an assert during the user authentication phase via incorrect authentication token data in an early phase of the user authentication resulting in a denial of service.	Openvpn Access Server
CVE-2020-15076	May 26, 2021	Private Tunnel installer for macOS version 3.0.1 and older versions may corrupt system critical files it should not have access Private Tunnel installer for macOS version 3.0.1 and older versions may corrupt system critical files it should not have access via symlinks in /tmp.	Private Tunnel
CVE-2020-15078	Apr 26, 2021	OpenVPN 2.5.1 and earlier versions OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.	Openvpn
CVE-2020-15075	Mar 30, 2021	OpenVPN Connect installer for macOS version 3.2.6 and older may corrupt system critical files it should not have access OpenVPN Connect installer for macOS version 3.2.6 and older may corrupt system critical files it should not have access via symlinks in /tmp.	Connect
CVE-2020-15074	Jul 14, 2020	OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp. OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp.	Openvpn Access Server
CVE-2020-11462	May 04, 2020	An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3 An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8.x before 2.8.3. With the full featured RPC2 interface enabled, it is possible to achieve a temporary DoS state of the management interface when sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable.	Openvpn Access Server
CVE-2020-11810	Apr 27, 2020	An issue was discovered in OpenVPN 2.4.x before 2.4.9 An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.	Openvpn
CVE-2020-8953	Feb 13, 2020	OpenVPN Access Server 2.8.x before 2.8.1 OpenVPN Access Server 2.8.x before 2.8.1 allows LDAP authentication bypass (except when a user is enrolled in two-factor authentication).	Openvpn Access Server
CVE-2018-9336	May 01, 2018	openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a double-free of memory by sending a malformed request to the interactive service. This could cause a denial-of-service through memory corruption or possibly have unspecified other impact including privilege escalation.	Openvpn
CVE-2018-7544	Mar 16, 2018	A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5 A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands, obtain sensitive information, or cause a denial of service (SIGTERM) by triggering XMLHttpRequest actions in a web browser. This is demonstrated by a multipart/form-data POST to http://localhost:23000 with a "signal SIGTERM" command in a TEXTAREA element. NOTE: The vendor disputes that this is a vulnerability. They state that this is the result of improper configuration of the OpenVPN instance rather than an intrinsic vulnerability, and now more explicitly warn against such configurations in both the management-interface documentation, and with a runtime warning	Openvpn
CVE-2017-12166	Oct 04, 2017	OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution.	Openvpn
CVE-2014-5455	Aug 25, 2014	Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder.<a href="http://cwe.mitre.org/data/definitions/428.html" target="_blank">CWE-428: Unquoted Search Path or Element</a>	Openvpn