CVE-2025-10680

Published Oct 24, 2025

Last updated 5 months ago

CVSS high 8.8
Tunneling protocol

Overview

Description
OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use
Source
security@openvpn.net
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@openvpn.net
CWE-78

Social media

Hype score
Not currently trending

  1. ⚠️ OpenVPN RCE Vulnerability CVE-2025-10680: High-severity flaw enabling authenticated VPN servers to execute OS commands on clients. Scope: OpenVPN Client (Linux, macOS) Requirement: --dns-updown enabled

    @cyberthreatzip

    10 Nov 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. How was your weekend? Mine ended with a deep dive into the OpenSSH CVE-2025-10680 vulnerability which was not exactly relaxing, but definitely interesting🧐 [1/5]

    @LucianNitescu

    2 Nov 2025

    99 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. OpenVPN 2.7系プレリリースに高リスク脆弱性(CVE-2025-10680-悪意あるDNS設定でクライアント側スクリプト実行の恐れ https://t.co/VfX3KG8nkW #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    31 Oct 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨🚨CVE-2025-10680 (CVSS 8.8): Script-injection RCE in OpenVPN Client Malicious DNS servers can exploit unsanitized --dns and --dhcp-option parameters to inject commands executed on the client. Search by vul.cve Filter👉vul.cve="CVE-2025-10680" ZoomEye Dork👉app="OpenVPN

    @zoomeye_team

    29 Oct 2025

    1197 Impressions

    6 Retweets

    28 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  5. ⚠️⚠️ CVE-2025-10680: High 8.8/10 Script-injection RCE in OpenVPN client (affects 2.7_alpha1 → 2.7_beta1) — malicious VPN servers can push crafted --dns / --dhcp-option to the --dns-updown hook and inject commands on Unix clients (Linux/macOS) 🎯3.3m+ Results are fou

    @fofabot

    29 Oct 2025

    1622 Impressions

    10 Retweets

    28 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨Alert🚨 CVE-2025-10680 : High-Severity OpenVPN Flaw Allows Script Injection on Linux/macOS via Malicious DNS Server 📊3.6M+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/bjfitNwuTc 👇Query HUNTER : https://t.co/q9rtuGfZuz="OpenVP

    @HunterMapping

    29 Oct 2025

    5405 Impressions

    16 Retweets

    53 Likes

    25 Bookmarks

    1 Reply

    1 Quote

  7. 🚨 CVE-2025-10680: OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use CVSS: 8.8 Published: 2025-10-24 Advisory: https://t.co/hoEpxKMext

    @DarkWebInformer

    29 Oct 2025

    4262 Impressions

    4 Retweets

    20 Likes

    3 Bookmarks

    1 Reply

    0 Quotes

  8. OpenVPN Flaw CVE-2025-10680 Puts Linux/macOS Users at Risk via DNS - Update Now! Read the full report on - https://t.co/AABA41zOqX https://t.co/EKKofC32N1

    @cyberbivash

    28 Oct 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. NVD - CVE-2025-10680 https://t.co/vTfEM8NUmr OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use

    @pHo9UBenaA

    28 Oct 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. OpenVPN 2.7系(2.7_alpha1〜2.7_beta1)に、サーバーからクライアントへのDNS構成情報を通じて任意コマンドが実行される脆弱性(CVE-2025-10680)が確認されました。 https://t.co/gTgRHw5WBy

    @t_nihonmatsu

    28 Oct 2025

    426 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  11. OpenVPNの開発版に深刻な脆弱性(CVE-2025-10680、CVSS 8.8)が発見された。2.7_alpha1〜2.7_beta1が影響を受け、悪意あるVPNサーバに接続するとスクリプトインジェクションを介してクライアント側で任意コード実行が可

    @yousukezan

    28 Oct 2025

    1411 Impressions

    2 Retweets

    10 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  12. OpenVPN(クライアント)に深刻な脆弱性。CVE-2025-10680はCVSSスコア8.8で、悪意あるVPNサーバに接続することによりスクリプトインジェクションからの遠隔コード実行が成立。提示される--dnsと--dhcp-option引数の無害

    @__kokumoto

    28 Oct 2025

    778 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  13. CVE-2025-10680 OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in … https://t.co/pVQSAjstCP

    @CVEnew

    24 Oct 2025

    313 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. In the Linux kernel, the following vulnerability has been resolved: mm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single When CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, the following warning may be noticed: [ 3959.023862] ------------[ cut here ]------------ [ 3959.023891] alloc_tag was not cleared (got tag for lib/xarray.c:378) [ 3959.023947] WARNING: ./include/linux/alloc_tag.h:155 at alloc_tag_add+0x128/0x178, CPU#6: mkfs.ntfs/113998 [ 3959.023978] Modules linked in: dns_resolver tun brd overlay exfat btrfs blake2b libblake2b xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel ext4 crc16 mbcache jbd2 rfkill sunrpc vfat fat sg fuse nfnetlink sr_mod virtio_gpu cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper ghash_ce drm sm4 backlight virtio_net net_failover virtio_scsi failover virtio_console virtio_blk virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod i2c_dev aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [ 3959.024170] CPU: 6 UID: 0 PID: 113998 Comm: mkfs.ntfs Kdump: loaded Tainted: G W 6.19.0-rc7+ #7 PREEMPT(voluntary) [ 3959.024182] Tainted: [W]=WARN [ 3959.024186] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [ 3959.024192] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 3959.024199] pc : alloc_tag_add+0x128/0x178 [ 3959.024207] lr : alloc_tag_add+0x128/0x178 [ 3959.024214] sp : ffff80008b696d60 [ 3959.024219] x29: ffff80008b696d60 x28: 0000000000000000 x27: 0000000000000240 [ 3959.024232] x26: 0000000000000000 x25: 0000000000000240 x24: ffff800085d17860 [ 3959.024245] x23: 0000000000402800 x22: ffff0000c0012dc0 x21: 00000000000002d0 [ 3959.024257] x20: ffff0000e6ef3318 x19: ffff800085ae0410 x18: 0000000000000000 [ 3959.024269] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 3959.024281] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600064101293 [ 3959.024292] x11: 1fffe00064101292 x10: ffff600064101292 x9 : dfff800000000000 [ 3959.024305] x8 : 00009fff9befed6e x7 : ffff000320809493 x6 : 0000000000000001 [ 3959.024316] x5 : ffff000320809490 x4 : ffff600064101293 x3 : ffff800080691838 [ 3959.024328] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000d5bcd640 [ 3959.024340] Call trace: [ 3959.024346] alloc_tag_add+0x128/0x178 (P) [ 3959.024355] __alloc_tagging_slab_alloc_hook+0x11c/0x1a8 [ 3959.024362] kmem_cache_alloc_lru_noprof+0x1b8/0x5e8 [ 3959.024369] xas_alloc+0x304/0x4f0 [ 3959.024381] xas_create+0x1e0/0x4a0 [ 3959.024388] xas_store+0x68/0xda8 [ 3959.024395] __filemap_add_folio+0x5b0/0xbd8 [ 3959.024409] filemap_add_folio+0x16c/0x7e0 [ 3959.024416] __filemap_get_folio_mpol+0x2dc/0x9e8 [ 3959.024424] iomap_get_folio+0xfc/0x180 [ 3959.024435] __iomap_get_folio+0x2f8/0x4b8 [ 3959.024441] iomap_write_begin+0x198/0xc18 [ 3959.024448] iomap_write_iter+0x2ec/0x8f8 [ 3959.024454] iomap_file_buffered_write+0x19c/0x290 [ 3959.024461] blkdev_write_iter+0x38c/0x978 [ 3959.024470] vfs_write+0x4d4/0x928 [ 3959.024482] ksys_write+0xfc/0x1f8 [ 3959.024489] __arm64_sys_write+0x74/0xb0 [ 3959.024496] invoke_syscall+0xd4/0x258 [ 3959.024507] el0_svc_common.constprop.0+0xb4/0x240 [ 3959.024514] do_el0_svc+0x48/0x68 [ 3959.024520] el0_svc+0x40/0xf8 [ 3959.024526] el0t_64_sync_handler+0xa0/0xe8 [ 3959.024533] el0t_64_sync+0x1ac/0x1b0 [ 3959.024540] ---[ end trace 0000000000000000 ]--- When __memcg_slab_post_alloc_hook() fails, there are two different free paths depending on whether size == 1 or size != 1. In the kmem_cache_free_bulk() path, we do call alloc_tagging_slab_free_hook(). However, in memcg_alloc_abort_single() we don't, the above warning will be triggered on the next allocation. Therefore, add alloc_tagging_slab_free_hook() to the memcg_alloc_abort_single() path.CVE-2026-23219
  2. Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of serviceCVE-2025-15497
  3. TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writes), `extract_client_random` returns `None`. In `rules.rs`, `RulesEngine::evaluate` only evaluates `client_random_prefix` when `client_random` is `Some(...)`. As a result, when extraction fails (`client_random == None`), any rule that relies on `client_random_prefix` matching is skipped and evaluation falls through to later rules. As an important semantics note: `client_random_prefix` is a match condition only. It does not mean "block non-matching prefixes" by itself. A rule with `client_random_prefix = ...` triggers its `action` only when the prefix matches (and the field is available to evaluate). Non-matches (or `None`) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115.CVE-2026-24904
  4. Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating clientCVE-2025-13086
  5. Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.CVE-2025-13751

References

Sources include official advisories and independent security research.