A new vulnerability in early versions of OpenVPN has been disclosed, potentially allowing malicious servers to execute arbitrary commands on client machines.
The flaw affects OpenVPN releases from 2.7_alpha1 to 2.7_beta1, enabling script-injection attacks on POSIX-based systems such as Linux, macOS, and BSD variants.
The issue stems from inadequate sanitization of the –dns and –dhcp-option arguments. When a client connects to an untrusted VPN service, these parameters are passed unsanitized to the –dns-updown script hook.
This oversight lets attackers embed malicious commands that run with elevated privileges on the client device, risking data theft, malware deployment, or full system compromise.
Security researchers warn that users relying on these beta builds for remote access or secure networking face immediate risks, especially in enterprise or personal setups involving third-party VPN providers.
OpenVPN – Script Injection Attack
Designated as CVE-2025-10680, the vulnerability has a CVSS score of 8.1 (high severity), highlighting its exploitability over the network without authentication.
It exploits the trust model where clients assume server-pushed DNS configurations are benign. On affected Unix-like systems, the –dns-updown script executes these inputs directly, opening the door to command injection.
Windows users are also impacted if using the built-in PowerShell integration, though the primary exposure remains on Linux and macOS.
Proof-of-concept exploits could involve crafting DNS strings with shell metacharacters, such as backticks or semicolons, to chain additional commands.
The OpenVPN project has confirmed no evidence of widespread exploitation yet, but urges immediate updates.
Patch Released With OpenVPN 2.7_beta2
Responding swiftly, the OpenVPN community released version 2.7_beta2 on October 27, 2025, incorporating critical fixes.
Key among them is enhanced input sanitation for DNS strings, blocking injection attempts from trusted-but-malicious servers.
The update also addresses Windows-specific issues, like improved event logging via a new openvpnservmsg.dll, and restores IPv4 broadcast configuration on Linux.
Additional bug fixes include better handling of multi-socket setups on Windows and repairs to DHCP options in TAP mode. Users should download the beta2 build from the official OpenVPN website and test in non-production environments.
For production use, sticking to stable 2.6.x releases remains advisable until 2.7 stabilizes. This incident underscores the importance of validating VPN software betas, particularly in diverse OS ecosystems.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
