CVE-2025-13086 — Improper Verification of Source of a Communication Channel in Openvpn

CWE-940 — Improper Verification of Source of a Communication Channel7 documents7 sources

Severity

4.6MEDIUMNVD

EPSS

0.0%

top 86.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openvpn Debian Openvpn

Timeline

PublishedDec 3

Description

Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶debiandebian/openvpn< openvpn 2.6.3-1+deb12u4 (bookworm)

▶NVDopenvpn/openvpn2.6.0 — 2.6.16+1

▶Debianopenvpn/openvpn< 2.6.3-1+deb12u4+2

▶CVEListV5openvpn/openvpn2.6.0 — 2.6.15+1

🔴Vulnerability Details

GHSA

GHSA-xv5w-q5wq-r3c3: Improper validation of source IP addresses in OpenVPN version 2↗2025-12-03

▶

OSV

CVE-2025-13086: Improper validation of source IP addresses in OpenVPN version 2↗2025-12-03

▶

📋Vendor Advisories

Red Hat

OpenVPN: OpenVPN: Improper validation of source IP addresses leads to denial of service↗2025-12-03

▶

Ubuntu

OpenVPN vulnerability↗2025-11-27

▶

Debian

CVE-2025-13086: openvpn - Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6....↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-15497 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶