OpenVPN has released critical security updates for its 2.6 stable and 2.7 development branches, addressing three vulnerabilities that could lead to local denial-of-service (DoS), security bypasses, and buffer over-reads.
The patches, included in the newly released version 2.6.17 and 2.7_rc3, fix issues ranging from logic errors in HMAC verification to stability flaws in the Windows interactive service.
Administrators are urged to upgrade immediately, particularly those running OpenVPN on Windows or utilizing the 2.7 release candidates.
Windows Interactive Service DoS (CVE-2025-13751)
The most significant issue for Windows environments is CVE-2025-13751, a local denial-of-service vulnerability affecting the interactive service component.
The flaw involves an erroneous exit routine where the service shuts down completely upon encountering specific error conditions, rather than logging the error and continuing operations.
This vulnerability can be triggered by any authenticated local user, making it a moderate risk for multi-user Windows systems.
Once triggered, the OpenVPN service terminates, preventing any new VPN connections until the service is manually restarted or the system is rebooted. This issue affects OpenVPN versions 2.6.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2. It is resolved in 2.6.17 and 2.7_rc3.
HMAC Verification Bypass (CVE-2025-13086)
A serious logic flaw, identified as CVE-2025-13086, was found in the HMAC verification check used during the 3-way handshake. Due to an inverted memcmp() call in the code, the system inadvertently accepted all HMAC cookies, effectively neutralizing source IP address validation.
This failure allows attackers to bypass the initial verification layer, potentially opening TLS sessions and consuming server state from IP addresses that did not initiate a legitimate connection.
The update also enforces stricter timeslot checks, rejecting HMACs from future timestamps. This vulnerability affects versions 2.6.0 through 2.6.15 and is fixed in 2.6.16 (and included in 2.6.17).
IPv6 Buffer Over-Read (CVE-2025-12106)
For users on the development branch (2.7 series), CVE-2025-12106 presents a high-severity memory safety issue. The vulnerability stems from a mismatched address family check in the get_addr_generic function, which can lead to a heap buffer over-read when parsing invalid IPv6 input.
While this flaw has been rated with a critical CVSS score of 9.1 in some reports due to its potential for memory corruption, it is strictly limited to the 2.7_alpha1 through 2.7_rc1 builds and does not affect the stable 2.6 branch.
The following table summarizes the vulnerabilities and the required versions to mitigate them. Users on the stable branch should target 2.6.17, while testing branch users must update to 2.7_rc3.
| CVE ID | Vulnerability Type | Impact | Affected Versions | Fixed In |
|---|---|---|---|---|
| CVE-2025-13751 | Local DoS | Service crash on Windows | 2.6.0–2.6.16 2.7_alpha1–2.7_rc2 | 2.6.17 2.7_rc3 |
| CVE-2025-13086 | Security Bypass | HMAC check failure | 2.6.0–2.6.15 2.7_alpha1–2.7_rc1 | 2.6.16 2.7_rc2 |
| CVE-2025-12106 | Buffer Over-read | Invalid IPv6 parsing | 2.7_alpha1–2.7_rc1 | 2.7_rc2 |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post OpenVPN Vulnerabilities Let Hackers Triggers Dos Attack and Bypass Security Checks appeared first on Cyber Security News.