OpenVPN
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in OpenVPN.
By the Year
In 2025 there have been 6 vulnerabilities in OpenVPN with an average score of 8.5 out of ten. Last year, in 2024 Openvpn had 4 security vulnerabilities published. That is, 2 more vulnerabilities have already been reported in 2025 as compared to last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.10.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 6 | 8.47 |
| 2024 | 4 | 8.37 |
| 2023 | 3 | 8.27 |
| 2022 | 1 | 9.80 |
| 2021 | 2 | 7.45 |
| 2020 | 1 | 3.70 |
| 2019 | 0 | 0.00 |
| 2018 | 2 | 8.45 |
It may take a day or so for new Openvpn vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent OpenVPN Security Vulnerabilities
OpenVPN 2.7_alpha1-beta1 DNS Variable Shell Injection
CVE-2025-10680
8.8 - High
- October 24, 2025
OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use
Shell injection
Buffer overflow in OpenVPN ovpn-dco-win <=1.3.0/<=2.5.8 causes local crash
CVE-2025-50054
- June 20, 2025
Buffer overflow in OpenVPN ovpn-dco-win version 1.3.0 and earlier and version 2.5.8 and earlier allows a local user process to send a too large control message buffer to the kernel driver resulting in a system crash
Privilege Escalation via Named Pipe in OpenVPN GUI 2.4.0–2.6.10 Windows
CVE-2024-4877
- April 03, 2025
OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privileged process to create a named pipe which the OpenVPN GUI component would connect to allowing it to escalate its privileges
OpenVPN 2.6.1-2.6.13 TLS-crypt-v2: Early Handshake Packet Replay DoS
CVE-2025-2704
7.5 - High
- April 02, 2025
OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase
Improper Check for Unusual or Exceptional Conditions
OpenVPN 1.1.1 local: OVPN-DC driver NULL deref crash
CVE-2024-5198
- January 15, 2025
OpenVPN ovpn-dco for Windows version 1.1.1 allows an unprivileged local attacker to send I/O control messages with invalid data to the driver resulting in a NULL pointer dereference leading to a system halt.
OpenVPN <2.6.11 PushReply Sanitization Flaw Enables Log Injection
CVE-2024-5594
9.1 - Critical
- January 06, 2025
OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs.
Improper Validation of Specified Type of Input
OpenVPN 2.6.0-2.6.10: Authenticated Clients Extend Session via Exit Msg
CVE-2024-28882
- July 08, 2024
OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session
OpenVPN <=2.6.9 Remote Interactive Service Access (CVE-2024-24974)
CVE-2024-24974
7.5 - High
- July 08, 2024
The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service.
OpenVPN 2.6.9 Interactive Service Stack Overflow Privilege Escalation
CVE-2024-27459
7.8 - High
- July 08, 2024
The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.
Memory Corruption
OpenVPN 2.6.9 Windows Plugin Directory Traversal Arbitrary PLG Exec
CVE-2024-27903
9.8 - Critical
- July 08, 2024
OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.
Unrestricted File Upload
Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6
CVE-2023-46849
7.5 - High
- November 11, 2023
Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.
Divide By Zero
Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir
CVE-2023-46850
9.8 - Critical
- November 11, 2023
Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.
Dangling pointer
Control Channel in OpenVPN 2.4.7 and earlier
CVE-2020-20813
7.5 - High
- August 22, 2023
Control Channel in OpenVPN 2.4.7 and earlier allows remote attackers to cause a denial of service via crafted reset packet.
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which
CVE-2022-0547
9.8 - Critical
- March 18, 2022
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.
Authentication Bypass by Primary Weakness
OpenVPN 3 Core Library version 3.6 and 3.6.1
CVE-2021-3547
7.4 - High
- July 12, 2021
OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in the verify-x509-name option in a client configuration.
Improper Certificate Validation
OpenVPN 2.5.1 and earlier versions
CVE-2020-15078
7.5 - High
- April 26, 2021
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
Missing Authentication for Critical Function
An issue was discovered in OpenVPN 2.4.x before 2.4.9
CVE-2020-11810
3.7 - Low
- April 27, 2020
An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.
Race Condition
openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6
CVE-2018-9336
7.8 - High
- May 01, 2018
openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a double-free of memory by sending a malformed request to the interactive service. This could cause a denial-of-service through memory corruption or possibly have unspecified other impact including privilege escalation.
Double-free
A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5
CVE-2018-7544
9.1 - Critical
- March 16, 2018
A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands, obtain sensitive information, or cause a denial of service (SIGTERM) by triggering XMLHttpRequest actions in a web browser. This is demonstrated by a multipart/form-data POST to http://localhost:23000 with a "signal SIGTERM" command in a TEXTAREA element. NOTE: The vendor disputes that this is a vulnerability. They state that this is the result of improper configuration of the OpenVPN instance rather than an intrinsic vulnerability, and now more explicitly warn against such configurations in both the management-interface documentation, and with a runtime warning
Use of Externally-Controlled Format String
OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used
CVE-2017-12166
9.8 - Critical
- October 04, 2017
OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution.
Memory Corruption
Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows)
CVE-2014-5455
- August 25, 2014
Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder.<a href="http://cwe.mitre.org/data/definitions/428.html" target="_blank">CWE-428: Unquoted Search Path or Element</a>
Unquoted Search Path or Element
