CVE-2025-10680
published 2025-10-24CVE-2025-10680: OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
6.93%
93.3th percentile
OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openvpn | — | — |
| openvpn | openvpn | 2.7_alpha1 – 2.7_beta1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is exploitable only when the `--dns-updown` option is in use in OpenVPN configuration; monitor for this flag in OpenVPN config files or process command lines. ↗
- →Attack vector is limited to POSIX-based platforms (Linux/macOS/etc.); Windows OpenVPN deployments are not affected by this specific shell injection path. ↗
- →The injection vector is DNS variables passed to the updown script; monitor for anomalous child process spawning from the OpenVPN process (e.g., unexpected shell execution) on POSIX systems. ↗
- ·Exploitation requires the victim client to be using the `--dns-updown` configuration option; deployments not using this option are not vulnerable to this specific attack. ↗
- ·Only OpenVPN versions 2.7_alpha1 through 2.7_beta1 are affected; these are pre-release/alpha/beta builds. Production deployments on stable releases are not in the stated affected range. ↗
- ·The attacker must be a remote *authenticated* server (i.e., a malicious or compromised VPN server the client connects to); unauthenticated remote attackers cannot exploit this. ↗
- ·Debian has issued fixes across all tracked branches (bookworm, bullseye, forky, sid, trixie); patched packages should be prioritized for affected POSIX deployments. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-10680: OpenVPN 2
osv·2025-10-27·CVSS 8.8
CVE-2025-10680 [HIGH] CVE-2025-10680: OpenVPN 2
OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use
GHSA
GHSA-wfq6-x28p-qgh6: OpenVPN 2
ghsa_unreviewed·2025-10-24
CVE-2025-10680 [HIGH] CWE-78 GHSA-wfq6-x28p-qgh6: OpenVPN 2
OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use
Debian
CVE-2025-10680: openvpn - OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote au...
vendor_debian·2025·CVSS 8.8
CVE-2025-10680 [HIGH] CVE-2025-10680: openvpn - OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote au...
OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
2025-10-24
Published