Aggregates CVE and security vulnerability intelligence across all OpenVPN-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk input validation and vendor risk csrf and related problems; some flaws may lead to vendor impact unexpected behavior, affecting vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-9560 | Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel | [email protected] | 9.4 | 0.05% | 2026-05-26 | 2026-05-27 |
| CVE-2025-13086 | Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client | [email protected] | 4.6 | 0.05% | 2025-12-03 | 2026-01-30 |
| CVE-2025-13751 | Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service. | [email protected] | 1.3 | 0.01% | 2025-12-03 | 2026-01-30 |
| CVE-2025-12106 | Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses | [email protected] | 9.1 | 0.06% | 2025-12-01 | 2025-12-30 |
| CVE-2025-50054 | Buffer overflow in OpenVPN ovpn-dco-win version 1.3.0 and earlier and version 2.5.8 and earlier allows a local user process to send a too large control message buffer to the kernel driver resulting in a system crash | [email protected] | 5.5 | 0.08% | 2025-06-20 | 2025-08-21 |
| CVE-2025-3908 | The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary directory which will change the ownership and permissions of that destination directory. | [email protected] | 6.2 | 0.14% | 2025-05-19 | 2025-06-12 |
| CVE-2024-4877 | OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privileged process to create a named pipe which the OpenVPN GUI component would connect to allowing it to escalate its privileges | [email protected] | 8.8 | 0.15% | 2025-04-03 | 2025-04-29 |
| CVE-2025-2704 | OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase | [email protected] | 7.5 | 0.52% | 2025-04-02 | 2025-10-23 |
| CVE-2024-13454 | Weak encryption algorithm in Easy-RSA version 3.0.5 through 3.1.7 allows a local attacker to more easily bruteforce the private CA key when created using OpenSSL 3 | [email protected] | 5.3 | 0.04% | 2025-01-20 | 2025-08-22 |
| CVE-2024-5198 | OpenVPN ovpn-dco for Windows version 1.1.1 allows an unprivileged local attacker to send I/O control messages with invalid data to the driver resulting in a NULL pointer dereference leading to a system halt. | [email protected] | 3.3 | 0.10% | 2025-01-15 | 2025-06-10 |
| CVE-2024-8474 | OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic | [email protected] | 7.5 | 1.14% | 2025-01-06 | 2025-06-10 |
| CVE-2024-5594 | OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs. | [email protected] | 9.1 | 0.52% | 2025-01-06 | 2025-11-03 |
| CVE-2024-28882 | OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session | [email protected] | 4.3 | 0.34% | 2024-07-08 | 2025-06-10 |
| CVE-2024-1305 | tap-windows6 driver version 9.26 and earlier does not properly check the size data of incomming write operations which an attacker can use to overflow memory buffers, resulting in a bug check and potentially arbitrary code execution in kernel space | [email protected] | 9.8 | 8.33% | 2024-07-08 | 2025-08-22 |
| CVE-2024-27903 | OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service. | [email protected] | 9.8 | 6.99% | 2024-07-08 | 2024-11-21 |
| CVE-2024-27459 | The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges. | [email protected] | 7.8 | 5.42% | 2024-07-08 | 2024-11-21 |
| CVE-2024-24974 | The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service. | [email protected] | 7.5 | 11.09% | 2024-07-08 | 2024-11-21 |
| CVE-2023-6247 | The PKCS#7 parser in OpenVPN 3 Core Library versions through 3.8.3 did not properly validate the parsed data, which would result in the application crashing. | [email protected] | 6.5 | 0.58% | 2024-02-29 | 2025-08-21 |
| CVE-2023-7235 | The OpenVPN GUI installer before version 2.6.9 did not set the proper access control restrictions to the installation directory of OpenVPN binaries when using a non-standard installation path, which allows an attacker to replace binaries to run arbitrary executables. | [email protected] | 8.4 | 0.03% | 2024-02-21 | 2025-05-06 |
| CVE-2023-7245 | The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable | [email protected] | 7.8 | 0.26% | 2024-02-20 | 2025-04-02 |