CVE-2025-25568

CVE-2025-25568 is a use-after-free vulnerability (CWE-416) affecting SoftEtherVPN version 5.02.5187, specifically in the Command.c file through the CheckNetworkAcceptThread function. The issue has been assigned a CVSS v3.1 base score of 9.8 (Critical), reflecting its potential severity. However, the supplier disputes the vulnerability's validity, asserting that the use-after-free occurs not in the core VPN software but in a separate stress-testing tool for the networking stack, which processes no untrusted input and executes under the user's own privileges.

An attacker with network access could potentially exploit this vulnerability remotely with low complexity, requiring no privileges or user interaction, to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope. This suggests possibilities like arbitrary code execution or system compromise, though the supplier's dispute implies limited practical exploitability due to the affected component's isolated nature and lack of exposure to untrusted inputs.

Advisories and additional details are available in referenced documents, including the supplier's response at https://filecenter.softether-upload.com/d/250715_001_79538/CVE-2025-25568.pdf and researcher analysis at https://lzydry.github.io/CVE-2025-25568/. The supplier's position emphasizes that no mitigation beyond standard secure usage of the tool is necessary, given its non-internet-facing design and user-controlled execution context.