cbcvebase.
CVE-2025-10680
published 2025-10-24

CVE-2025-10680: OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
6.93%
93.3th percentile
OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use

Affected

2 ranges
VendorProductVersion rangeFixed in
debianopenvpn
openvpnopenvpn2.7_alpha1 – 2.7_beta1

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is exploitable only when the `--dns-updown` option is in use in OpenVPN configuration; monitor for this flag in OpenVPN config files or process command lines.
  • Attack vector is limited to POSIX-based platforms (Linux/macOS/etc.); Windows OpenVPN deployments are not affected by this specific shell injection path.
  • The injection vector is DNS variables passed to the updown script; monitor for anomalous child process spawning from the OpenVPN process (e.g., unexpected shell execution) on POSIX systems.
  • ·Exploitation requires the victim client to be using the `--dns-updown` configuration option; deployments not using this option are not vulnerable to this specific attack.
  • ·Only OpenVPN versions 2.7_alpha1 through 2.7_beta1 are affected; these are pre-release/alpha/beta builds. Production deployments on stable releases are not in the stated affected range.
  • ·The attacker must be a remote *authenticated* server (i.e., a malicious or compromised VPN server the client connects to); unauthenticated remote attackers cannot exploit this.
  • ·Debian has issued fixes across all tracked branches (bookworm, bullseye, forky, sid, trixie); patched packages should be prioritized for affected POSIX deployments.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.