High-Severity OpenVPN Flaw (CVE-2025-10680) Allows Script Injection on Linux/macOS via Malicious DNS Server
Ddos 
Security researchers have disclosed a high-severity vulnerability, tracked as CVE-2025-10680 (CVSS 8.8), affecting OpenVPN 2.7_alpha1 through 2.7_beta1 releases. The flaw exposes Unix-like systems to script injection attacks when connecting to untrusted VPN servers, potentially allowing remote code execution on the client side.
According to the security announcement, “the pushed –dns and –dhcp-option arguments are not properly sanitised when passing them to the –dns-updown script hook, allowing them to inject additional commands being performed on the client.”
This vulnerability impacts POSIX-based platforms such as Linux, BSD, and macOS, and similar Unixoid environments. Windows systems are largely unaffected unless configured to use the built-in PowerShell call in the same script path.
The issue arises when an OpenVPN client connects to a compromised or malicious VPN server capable of pushing DNS or DHCP configuration options during session initiation. Improper input handling in these options allows the attacker to craft specially formatted arguments that inject additional shell commands into the system executing the DNS update hook.
This means a malicious VPN endpoint could execute arbitrary code on the client device, depending on the privileges of the OpenVPN process. For instance, if OpenVPN is run with elevated permissions, attackers could gain complete system compromise.
The development team clarified that this vulnerability “affects unixoid systems with –dns-updown scripts and Windows using the built-in PowerShell call,” emphasizing that the flaw is tied to how the client-side hook interprets incoming configuration data.
The OpenVPN team acted swiftly to resolve the issue in OpenVPN 2.7_beta2, released with a patch that introduces proper input sanitation for DNS strings.
Other fixes in this release address multi-socket handling on Windows and the restoration of IPv4 broadcast address configuration on Linux, ensuring improved cross-platform stability and security.
Administrators and developers using testing or preview builds are strongly advised to upgrade immediately to version 2.7_beta2 or later. Production users running OpenVPN 2.6.x or stable releases are not affected by this vulnerability.
Related Posts:
- OpenVPN Patches Serious Vulnerabilities in Windows Installations
- OpenVPN Driver Flaw: Local Users Can Crash Windows Systems via Buffer Overflow
- OpenVPN Addresses False Zero-Day Claims, Releases Security Patches
- CVE-2024-5594 (CVSS 9.1): Critical Vulnerability in OpenVPN Enables Code Execution
- Microsoft Researcher to Unveil 4 OpenVPN Zero-Day Vulnerabilities at Black Hat USA 2024
Donate