OpenVPN Flaw Allows Attackers Crash Servers and Run Remote Code

OpenVPN, a widely-used open-source virtual private network (VPN) software, has recently patched a security vulnerability that could allow attackers to crash servers and potentially execute remote code under certain conditions.

The flaw, identified as CVE-2025-2704, affects OpenVPN servers using specific configurations and has been addressed in the newly released version OpenVPN 2.6.14.

CVE-2025-2704: Overview

The vulnerability is specific to OpenVPN servers running versions 2.6.1 to 2.6.13 and using the –tls-crypt-v2 configuration.

It allows an attacker with a valid tls-crypt-v2 client key or network observation of a handshake using such a key to send a combination of authenticated and malformed packets.

These packets trigger an ASSERT() message, causing the server to abort unexpectedly.

While no cryptographic integrity is violated, no data is leaked, and remote code execution is not directly possible, the vulnerability poses a denial-of-service (DoS) risk for affected servers.

Fortunately, OpenVPN clients are ...