A critical vulnerability has been disclosed in early versions of OpenVPN, affecting releases from 2.7_alpha1 to 2.7_beta1. This flaw enables script-injection attacks on POSIX-based systems, posing serious risks for users connecting to untrusted VPN services. The vulnerability occurs due to inadequate sanitization of the –dns and –dhcp-option arguments, where malicious commands can be injected and executed with elevated privileges on the client device. Security researchers emphasize the urgency for users relying on these beta builds to update immediately, as their systems are at risk for data theft, malware deployment, or complete compromise.
Designated as CVE-2025-10680, the vulnerability carries a CVSS score of 8.1, indicating a high severity and the potential for exploitation without authentication. While the OpenVPN project has not reported widespread exploitation, they recommend updating to version 2.7_beta2, released on October 27, 2025. This update includes crucial fixes such as improved input sanitation for DNS strings and addresses issues specific to Windows. It is advisable for users to avoid using beta versions in production until they stabilize, highlighting the need for validating software in diverse operating system environments.
👉 Pročitaj original: Cyber Security News
