CVE-2024-5594

Published Jan 6, 2025

Last updated 6 months ago

CVSS critical 9.1
Tunneling protocol
VPN

Overview

Description
OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs.
Source
security@openvpn.net
NVD status
Modified
Products
openvpn

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

security@openvpn.net
CWE-1287

Social media

Hype score
Not currently trending

  1. #Vulnerability #CVE202428882 CVE-2024-5594 (CVSS 9.1): Critical Vulnerability in OpenVPN Enables Code Execution https://t.co/X3h1fLGiZa

    @Komodosec

    14 Jan 2025

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2024-5594 impacts OpenVPN #CVE-2024-5594 #OpenVPN https://t.co/v6gnl3QlSg

    @pravin_karthik

    12 Jan 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. OpenVPNが重大(Critical)な脆弱性を修正。CVE-2024-5594はCVSSスコア9.1で、悪意あるピアがサードパーティー実行ファイルやプラグインに任意のデータを注入できることによるコード実行のおそれ。PUSH_REPLYメッセージの無害化不備に起因。その他の脆弱性も修正あり。 https://t.co/MN0OrFlmMu

    @__kokumoto

    9 Jan 2025

    1828 Impressions

    13 Retweets

    42 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2024-5594 01/06/2025 02:15:08 PM BaseSeverity: CRITICAL OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which attackers can use to inject unexpected arbitrary data into third-party executables or ... https://t.co/9oc3eS4uMY

    @CVETracker

    7 Jan 2025

    47 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2024-5594 OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which attackers can use to inject unexpected arbitrary data into third-party executables or plug-ins. https://t.co/gh0D3y2rB4

    @CVEnew

    6 Jan 2025

    496 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Linux Kernel Incorrect Resource Transfer Between Spheres VulnerabilityCVE-2026-31431
  2. Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.CVE-2026-33825
  3. Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.CVE-2026-33824
  4. Marimo Remote Code Execution VulnerabilityCVE-2026-39987
  5. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616

References

Sources include official advisories and independent security research.