CVE-2024-5594

Critical

Published: 06 January 2025

Published

06 January 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0028 51.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5594 is a critical-severity Improper Validation of Specified Type of Input (CWE-1287) vulnerability in Openvpn Openvpn. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked in the top 48.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Transmitted Data Manipulation (T1565.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely remediation of the improper sanitization flaw in OpenVPN through patching to version 2.6.11 or later.

SI-10 Information Input Validation good match

prevent

Addresses the root cause of CWE-1287 by enforcing information input validation mechanisms on PUSH_REPLY messages to prevent arbitrary data injection into client logs.

AU-9 Protection of Audit Information partial match

prevent

Protects client audit logs from unauthorized modification and poisoning by arbitrary data injected via malicious PUSH_REPLY messages.

MITRE ATT&CK Enterprise TechniquesAI

T1565.002 Transmitted Data Manipulation Impact

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

T1070 Indicator Removal Stealth

Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity.

attack.mitre.org →

Why these techniques?

Vuln enables server-controlled arbitrary data injection into client logs, directly facilitating transmitted data manipulation (T1565.002) and log-based indicator removal or integrity disruption (T1070).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs.

Deeper analysisAI

CVE-2024-5594 is a vulnerability in OpenVPN versions prior to 2.6.11 that stems from improper sanitization of PUSH_REPLY messages. An attacker controlling the OpenVPN server can exploit this flaw to inject unexpected arbitrary data, which ends up in the client logs. The issue is classified under CWE-1287 (Improper Validation of Specified Quantity in Input) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

The attack requires an adversary to control the OpenVPN server, with no privileges, user interaction, or special conditions needed beyond network access. Exploitation allows the injection of arbitrary data into client-side logs, potentially enabling log poisoning, exposure of sensitive information through crafted payloads, or disruption of log integrity for forensic analysis.

Advisories recommend upgrading to OpenVPN 2.6.11 or later to mitigate the vulnerability, as detailed in the official OpenVPN wiki at https://community.openvpn.net/openvpn/wiki/CVE-2024-5594. Additional guidance appears in the OpenVPN users mailing list at https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html and Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00005.html, which cover patched packages for affected distributions.

Details

CWE(s): CWE-1287

Affected Products

openvpn

2.6.0 — 2.6.11

CVEs Like This One

CVE-2025-12106Same product: Openvpn Openvpn

CVE-2024-8474Same vendor: Openvpn

CVE-2025-12977Shared CWE-1287

CVE-2026-2092Shared CWE-1287

CVE-2025-20621Shared CWE-1287

CVE-2026-2004Shared CWE-1287

CVE-2026-26115Shared CWE-1287

CVE-2025-20251Shared CWE-1287

CVE-2026-2454Shared CWE-1287

CVE-2024-48858Shared CWE-1287

References

https://community.openvpn.net/openvpn/wiki/CVE-2024-5594
Vendor Advisory · security@openvpn.net
https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html
Release Notes · security@openvpn.net
https://lists.debian.org/debian-lts-announce/2025/03/msg00005.html
af854a3a-2127-422b-91ae-364da2661108