Security researchers have uncovered three significant vulnerabilities in OpenVPN, one of the world’s most trusted open-source virtual private network (VPN) solutions.
The discovered flaws could allow attackers to crash VPN services, bypass essential security checks, or read sensitive memory data.
The OpenVPN development team has released urgent updates to address these issues, and administrators are strongly advised to apply them immediately.
| CVE ID | Vulnerability Type | Affected Versions |
|---|---|---|
| CVE-2025-13751 | Denial of Service (DoS) | 2.6.0 – 2.6.16 2.7_alpha1 – 2.7_rc2 |
| CVE-2025-13086 | Security Check Bypass | 2.6.0 – 2.6.15 2.7_alpha1 – 2.7_rc1 |
| CVE-2025-12106 | Buffer Over-read | 2.7_alpha1 – 2.7_rc1 |
The most critical issue for many businesses is a Denial-of-Service (DoS) vulnerability affecting Windows users. Identified as CVE-2025-13751, this flaw exists in the interactive service component of OpenVPN on Windows.
In simple terms, a bug in how the software handles errors causes it to shut down completely when it encounters specific conditions.
Usually, if a program hits a small error, it should log the problem and keep running. However, this bug causes the OpenVPN service to “exit” or stop working entirely.
Once this happens, no new VPN connections can be made until a human administrator manually restarts the service or reboots the entire computer.
The danger here is that any local user logged into the Windows machine can trigger this crash. This poses a significant disruption risk for organizations with employees sharing workstations.
The second major flaw, CVE-2025-13086, is a security bypass issue located in the “handshake” process the initial greeting between a user and the server.
Due to a coding mistake in which a verification check was “inverted” (or reversed), the system began accepting all security cookies (HMACs) instead of validating them.
This breaks the server’s ability to verify the source IP address of incoming connections.
Consequently, attackers can flood the server with fake requests from spoofed IP addresses, forcing it to use up its memory and processing power while handling invalid sessions.
This is another form of Denial-of-Service that exhausts the server’s resources.
A third vulnerability, CVE-2025-12106, involves how the software reads IPv6 addresses. A missing check could allow the program to read more memory than it should (a “buffer over-read”), which can lead to crashes or data leaks.
The OpenVPN team has acted quickly, releasing versions 2.6.17 and 2.7_rc3 to patch these holes.
Suppose you are running OpenVPN 2.6. x or the newer 2.7 alpha/release candidates. In that case, you must update immediately to ensure your network remains secure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.