High-Severity strongSwan Flaw Enables Remote VPN Gateway Crashes

A high-severity security vulnerability has been uncovered in strongSwan, the widely used open-source IPsec-based VPN solution. The flaw, tracked as CVE-2026-25075 with a CVSSv4 score of 8.7, resides in the eap-ttls plugin and could allow unauthenticated remote attackers to paralyze VPN gateways through resource exhaustion or targeted system crashes.

The vulnerability affects all versions of strongSwan released since version 4.5.0, making it a significant concern for long-standing enterprise VPN infrastructures.

The issue centers on how the eap-ttls plugin processes Attribute-Value Pairs (AVPs) tunneled within a TLS session. The EAP-TTLSv0 protocol is commonly used to protect other authentication methods, such as EAP-MSCHAPv2, during the IKEv2 setup process.

According to the security advisory:

“The eap-ttls plugin doesn’t check the length field in the header of attribute-value pairs (AVPs) tunneled in EAP-TTLS, which can cause an integer underflow that may lead to resource exhaustion or a crash”.

Technically, if an attacker sends a specifically crafted AVP header with an invalid length, the software may attempt to allocate an enormous amount of memory—potentially up to 4 GiB.

While the vulnerability is severe, researchers have confirmed that it is limited to Denial of Service (DoS) attacks.

If the massive memory allocation succeeds, it can starve the system of resources. More likely, the allocation of ~4 GiB will fail. Because the code does not check for this failure before attempting to write to the memory “chunk,” it results in a null-pointer dereference and an immediate crash (segmentation fault).

The advisory explicitly states that “Remote code execution is not possible due to this issue”.

The threat is specific to environments utilizing a particular authentication type. “Clients and servers that don’t use EAP-TTLS authentication are not vulnerable”. If your VPN configuration relies on this plugin for secure tunneling of internal EAP methods, you are at risk.

The vulnerability was discovered and responsibly reported by Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc..

The most effective defense is to upgrade strongSwan to a patched version that includes proper length validation for AVP headers. For organizations unable to upgrade immediately, the following mitigations should be considered:

• Audit Authentication Methods: Confirm if eap-ttls is actively required. If not, disabling the plugin will eliminate the attack surface.
• Restrict Access: Ensure that your VPN endpoints are only accessible to intended users to minimize exposure to unauthenticated probes.