Cyber Resilience

CVE-2024-27459

High

Published: 08 July 2024

Published
08 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0542 90.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27459 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Openvpn Openvpn. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2024-27459 is a stack-based buffer overflow in the interactive service component of OpenVPN 2.6.9 and earlier. It is tracked under CWE-121 and CWE-787 and can be triggered by an attacker sending crafted data, resulting in arbitrary code execution with elevated privileges. The flaw received a CVSS 3.1 base score of 7.8 reflecting local attack vector, low complexity, and low privileges required.

A local attacker with low privileges can send data to the interactive service to trigger the overflow and execute arbitrary code with higher privileges, impacting confidentiality, integrity, and availability without requiring user interaction.

OpenVPN has published advisories covering this issue together with related CVEs at the referenced community wiki and security advisory pages, which include guidance on affected versions and remediation steps. The EPSS score has remained flat at 0.0542 with no material rise observed since disclosure.

EU & UK References

Vulnerability details

The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openvpn
openvpn
≤ 2.5.10 · 2.6.0 — 2.6.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References