CVE-2025-10680

CVE-2025-10680 is a command injection vulnerability (CWE-78) affecting OpenVPN versions 2.7_alpha1 through 2.7_beta1 on POSIX-based platforms. It arises when the --dns-updown option is enabled, allowing a remote authenticated server to inject shell commands via DNS variables. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impacts on confidentiality, integrity, and availability.

A remote attacker with server authentication privileges can exploit this vulnerability against an OpenVPN client using the affected versions and configuration. By crafting malicious DNS variables during the connection process, the attacker can execute arbitrary shell commands on the client's POSIX-based system. No user interaction is required, and the low attack complexity combined with network accessibility makes it feasible for authenticated adversaries to achieve remote code execution with high-impact consequences.

Mitigation details are provided in official advisories, including the OpenVPN community security announcement at https://community.openvpn.net/Security%20Announcements/CVE-2025-10680 and the mailing list post at https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00149.html, published on 2025-10-24. Security practitioners should consult these sources for patch availability, workarounds, and updated version recommendations.