Security Advisory: OpenVPN has issued security updates to address critical flaws that can cause denial of service by exploiting logic errors in authentication and memory handling during connection handshake and packet processing.

The vulnerabilities, CVE’s are CVE-2025-12106, CVE-2025-13086 do not impact the confidentiality or integrity of encrypted data. Immediate upgrades latest OpenVPN versions address these flaws to restore proper operation and prevent remote denial of service attacks. 

OEM	OpenVPN
Severity	Critical
CVSS Score	9.1
CVEs	CVE-2025-12106, CVE-2025-13086
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

These vulnerabilities do not impact the confidentiality or integrity of encrypted data t may allow attackers to disrupt VPN service availability remotely under certain conditions. The flaws primarily affect the HMAC verification mechanism and IPv6 address parsing in affected OpenVPN versions. Immediate software updates are recommended to prevent possible service disruption and maintain secure VPN operations. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Heap buffer over-read in IP address parsing	CVE-2025-12106	OpenVPN	Critical	2.7_rc2.
HMAC verification bypass leading to DoS	CVE-2025-13086	OpenVPN	High	2.6.16 and 2.7_rc2.

Technical Summary 

OpenVPN contained a critical logic flaw in the verification process during the handshake phase. This flaw was due to an inverted memory comparison function that caused the system to accept all HMAC cookies without proper validation of the source IP address, effectively bypassing the intended initial verification layer.

This allowed attackers to open TLS sessions without initiating legitimate connections, leading to resource exhaustion and denial of service remotely. 

Additionally, there was a high-severity buffer handling issue in the parsing of IPv6 addresses caused by an inconsistent address family check. This issue led to a heap buffer over-read, which could result in memory corruption and potential service crashes, creating a denial of service condition.

This compromised the availability of the OpenVPN service by allowing unauthorized handshake bypass and improper memory handling.

CVE ID	Component Affected	Vulnerability Details	Impact
CVE-2025-12106	OpenVPN IP address parsing	Heap buffer over-read caused by insufficient validation during IP address parsing, potentially leading to crashes or memory data leaks.	Denial of Service (DoS), sensitive memory disclosure
CVE-2025-13086	OpenVPN HMAC verification	Incorrect implementation of the memcmp() call in the HMAC verification, causing acceptance of all HMAC cookies and bypass of source IP validation.	Potential resource exhaustion via unauthorized session creation, DoS attacks

Recommendations 

Update OpenVPN immediately to the following fixed versions or the latest one 

• OpenVPN 2.7_rc2  

• OpenVPN 2.6.16  

Conclusion: 

The OpenVPN vulnerabilities discovered pose critical risks to OpenVPN’s service availability by enabling remote denial-of-service attacks.

Users are urged to immediately upgrade to the fixed versions to prevent service disruption and maintain secure VPN functionality. Prompt action will safeguard network connectivity and ensure continued secure remote access. 

References: 

• https://community.openvpn.net/Security%20Announcements/CVE-2025-13086 

• https://community.openvpn.net/Security%20Announcements/CVE-2025-12106 

• https://securityonline.info/critical-openvpn-flaws-fix-heap-over-read-cvss-9-1-and-hmac-bypass-allow-dos-attacks/