OpenVPN 2.6.14 released with critical fix to prevent denial-of-service attacks triggered by malformed TLS handshake packets.
The OpenVPN community has issued a critical security update to patch a newly discovered server-side vulnerability affecting configurations using the --tls-crypt-v2 option. This flaw, tracked as CVE-2025-2704, has been fixed in the OpenVPN 2.6.14 release, and although it doesn’t compromise encrypted data or allow remote code execution, it could allow attackers to crash VPN servers, disrupting secure communications for users globally.
What’s the issue?
The vulnerability affects OpenVPN versions 2.6.1 to 2.6.13, but only if the --tls-crypt-v2 option is enabled. This feature is widely used to encrypt and authenticate control channel packets in TLS sessions, enhancing privacy and resistance to Deep Packet Inspection (DPI).
According to the security advisory, when a specific mix of incoming packets—some authorized and others malformed—is received by the server, it leads to client state corruption. This triggers an internal ASSERT check, causing the server to abort immediately, resulting in a denial of service (DoS).
“Upon receiving a specific combination of legitimate and malformed packets, the client state on the server becomes corrupted, triggering an ASSERT message that shuts down the server,” the OpenVPN team explained.
Who is at risk?
To successfully exploit the vulnerability, an attacker must either:
- Possess a valid
tls-crypt-v2client key, or - Monitor TLS handshake traffic and inject specially crafted packets during the exchange.
No data compromise — but serious disruption
While the vulnerability is serious in terms of service disruption, no cryptographic integrity is breached, and no data leakage or remote code execution is possible.
The bug does not affect OpenVPN clients, only servers using the vulnerable option.
Recommended actions
Organizations running vulnerable OpenVPN servers should take the following actions immediately:
- Upgrade to OpenVPN 2.6.14 or later, which includes the fix for CVE-2025-2704.
- If immediate upgrade is not feasible, disable
--tls-crypt-v2as a temporary workaround. However, this may reduce certain privacy features.
Additional improvements in OpenVPN 2.6.14
Aside from the security fix, the new version also includes:
- Linux DCO fix for source IP selection with
--multihome - MSI packages built against OpenSSL 3.4.1
- GUI enhancements on Windows (version 11.52.0.0), including improved handling of inaccessible
.ovpnconfigs and proper debug log placement.
For more information and downloads, visit the OpenVPN security advisory page.
This incident highlights the importance of staying updated with the latest security patches and reviewing configuration settings in critical infrastructure services like VPNs, which are increasingly targeted by sophisticated attacks.
