OpenVPN

OpenVPN 2.7 Alpha to RC5 DoS via Epoch Key Slot Assertion
CVE-2025-15497 - January 30, 2026

Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of service

assertion failure

OpenVPN 2.6.02.7_rc1 IP Source Validation Bypass (DoS)
CVE-2025-13086 - December 03, 2025

Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client

Improper Verification of Source of a Communication Channel

OpenVPN 2.5.0-2.7_rc2 LDoS via Interactive Service Agent on Windows
CVE-2025-13751 - December 03, 2025

Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.

Allocation of Resources Without Limits or Throttling

OpenVPN 2.7_alpha1-rc1 IP Address Parsing Heap Over-Read
CVE-2025-12106 9.1 - Critical - December 01, 2025

Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses

Buffer Over-read

OpenVPN 2.7_alpha1-beta1 DNS Variable Shell Injection
CVE-2025-10680 8.8 - High - October 24, 2025

OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use

Shell injection

Buffer overflow in OpenVPN ovpn-dco-win <=1.3.0/<=2.5.8 causes local crash
CVE-2025-50054 - June 20, 2025

Buffer overflow in OpenVPN ovpn-dco-win version 1.3.0 and earlier and version 2.5.8 and earlier allows a local user process to send a too large control message buffer to the kernel driver resulting in a system crash

Privilege Escalation via Named Pipe in OpenVPN GUI 2.4.0–2.6.10 Windows
CVE-2024-4877 - April 03, 2025

OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privileged process to create a named pipe which the OpenVPN GUI component would connect to allowing it to escalate its privileges

OpenVPN 2.6.1-2.6.13 TLS-crypt-v2: Early Handshake Packet Replay DoS
CVE-2025-2704 7.5 - High - April 02, 2025

OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase

Improper Check for Unusual or Exceptional Conditions

OpenVPN 1.1.1 local: OVPN-DC driver NULL deref crash
CVE-2024-5198 - January 15, 2025

OpenVPN ovpn-dco for Windows version 1.1.1 allows an unprivileged local attacker to send I/O control messages with invalid data to the driver resulting in a NULL pointer dereference leading to a system halt.

OpenVPN <2.6.11 PushReply Sanitization Flaw Enables Log Injection
CVE-2024-5594 9.1 - Critical - January 06, 2025

OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs.

Improper Validation of Specified Type of Input

OpenVPN 2.6.0-2.6.10: Authenticated Clients Extend Session via Exit Msg
CVE-2024-28882 - July 08, 2024

OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session

OpenVPN 2.6.9 Interactive Service Stack Overflow Privilege Escalation
CVE-2024-27459 7.8 - High - July 08, 2024

The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.

Memory Corruption

OpenVPN <=2.6.9 Remote Interactive Service Access (CVE-2024-24974)
CVE-2024-24974 7.5 - High - July 08, 2024

The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.

OpenVPN 2.6.9 Windows Plugin Directory Traversal Arbitrary PLG Exec
CVE-2024-27903 9.8 - Critical - July 08, 2024

OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.

Unrestricted File Upload

OpenVPN 2.6.x DoS via Divide-by-zero on --fragment
CVE-2023-46849 7.5 - High - November 11, 2023

Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.

Divide By Zero

OpenVPN 2.6.0-2.6.6 UAF in Network Buffer -> Remote Exec
CVE-2023-46850 - November 11, 2023

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.

Dangling pointer

OpenVPN 2.4.7 Control Chan CVE-2020-20813 - DOS via reset pkt
CVE-2020-20813 7.5 - High - August 22, 2023

Control Channel in OpenVPN 2.4.7 and earlier allows remote attackers to cause a denial of service via crafted reset packet.

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which
CVE-2022-0547 9.8 - Critical - March 18, 2022

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

Authentication Bypass by Primary Weakness

OpenVPN 3 Core Library version 3.6 and 3.6.1
CVE-2021-3547 7.4 - High - July 12, 2021

OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in the verify-x509-name option in a client configuration.

Improper Certificate Validation

OpenVPN 2.5.1 and earlier versions
CVE-2020-15078 7.5 - High - April 26, 2021

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

Missing Authentication for Critical Function

An issue was discovered in OpenVPN 2.4.x before 2.4.9
CVE-2020-11810 - April 27, 2020

An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.

openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6
CVE-2018-9336 7.8 - High - May 01, 2018

openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a double-free of memory by sending a malformed request to the interactive service. This could cause a denial-of-service through memory corruption or possibly have unspecified other impact including privilege escalation.

Double-free

A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5
CVE-2018-7544 - March 16, 2018

A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands, obtain sensitive information, or cause a denial of service (SIGTERM) by triggering XMLHttpRequest actions in a web browser. This is demonstrated by a multipart/form-data POST to http://localhost:23000 with a "signal SIGTERM" command in a TEXTAREA element. NOTE: The vendor disputes that this is a vulnerability. They state that this is the result of improper configuration of the OpenVPN instance rather than an intrinsic vulnerability, and now more explicitly warn against such configurations in both the management-interface documentation, and with a runtime warning

OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used
CVE-2017-12166 - October 04, 2017

OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution.

Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows)
CVE-2014-5455 - August 25, 2014

Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder.<a href="http://cwe.mitre.org/data/definitions/428.html" target="_blank">CWE-428: Unquoted Search Path or Element</a>

Unquoted Search Path or Element