CVE-2025-10680

critical

Description

Gert Doering reports: Notable changes beta1 -> beta2 are: [...] add proper input sanitation to DNS strings to prevent an attack coming from a trusted-but-malicous OpenVPN server (CVE: 2025-10680, affects unixoid systems with --dns-updown scripts and windows using the built-in powershell call) Lev Stipakov writes: On Linux (and similar platforms), those options are written to a tmp file, which is later sourced by a script running as root. Since options are controlled by the server, it is possible for a malicious server to execute script injection attack [...]. The original report is credited to Stanislav Fort <[email protected]>.

Details

Source: Mitre, NVD

Published: 2025-09-25

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

Detections

Analytics