Cyber Resilience

CVE-2023-26463

Critical

Published: 15 April 2023

Published
15 April 2023
Modified
07 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1154 93.8th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-26463 is a critical-severity Improper Certificate Validation (CWE-295) vulnerability in Strongswan Strongswan. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

strongSwan versions 5.9.8 and 5.9.9 contain a use-after-free vulnerability stemming from reuse of a variable named "public" for two distinct purposes inside the same function. The flaw manifests as an initial access-control bypass followed by an expired pointer dereference and is reachable only when the daemon loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). The affected component is therefore any strongSwan server configured for these EAP methods.

An unauthenticated remote attacker can trigger the flaw by presenting a crafted client certificate during an EAP-TLS exchange. Successful exploitation yields remote code execution with the privileges of the charon process, enabling full compromise of the VPN gateway. The CVSS 3.1 base score of 9.8 reflects the absence of required authentication or user interaction and the complete confidentiality, integrity, and availability impact.

The issue is resolved in strongSwan 5.9.10; administrators are advised to upgrade immediately. Vendor advisories from strongSwan and NetApp reiterate that only servers exposing the listed EAP plugins are affected and that the fix eliminates the double use of the variable.

EPSS for the CVE rose from a low baseline to a peak of 0.1284 (currently 0.1154), indicating measurable post-disclosure exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector…

more

is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

strongswan
strongswan
5.9.8, 5.9.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-295

When certificates are used to establish component provenance, the control requires correct certificate validation procedures.

addresses: CWE-295

Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.

addresses: CWE-295

Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.

References