Cyber Resilience

CVE-2024-8474

High

Published: 06 January 2025

Published
06 January 2025
Modified
10 June 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0114 78.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8474 is a high-severity Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212) vulnerability in Openvpn Connect. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Private Keys (T1552.004); ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-8474 is a vulnerability in OpenVPN Connect versions prior to 3.5.0, where the configuration profile's clear-text private key can be logged in the application log. This exposure of sensitive cryptographic material, classified under CWE-212 (Improper Removal of Sensitive Information before Storage or Transfer), allows unauthorized access to the private key. The issue received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility and no prerequisites for exploitation.

An attacker with access to the application's logs can extract the clear-text private key from the logged configuration profile. No privileges, user interaction, or special conditions are required, enabling remote exploitation over the network with low complexity. Successful exploitation grants the ability to decrypt VPN traffic protected by that key, potentially exposing sensitive data in transit.

Mitigation is addressed in OpenVPN Connect version 3.5.0, as detailed in the official Android release notes at https://openvpn.net/connect-docs/android-release-notes.html. Security practitioners should upgrade to version 3.5.0 or later and review logs for exposed keys, ensuring proper handling of configuration profiles to prevent similar logging issues.

EU & UK References

Vulnerability details

OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.004 Private Keys Credential Access
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
Why these techniques?

Vulnerability directly exposes private keys via application logs (unsecured credentials).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-9560Same product: Openvpn Connect
CVE-2024-5594Same vendor: Openvpn
CVE-2025-12106Same vendor: Openvpn
CVE-2024-43384Shared CWE-212
CVE-2026-43824Shared CWE-212
CVE-2026-27640Shared CWE-212
CVE-2026-34214Shared CWE-212
CVE-2026-42880Shared CWE-212
CVE-2026-32891Shared CWE-212

Affected Assets

openvpn
connect
≤ 3.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely remediation of flaws, directly addressing this vulnerability by upgrading OpenVPN Connect to version 3.5.0 where the improper logging of private keys is fixed.

prevent

AU-9 protects audit and application logs containing the exposed clear-text private key from unauthorized access, modification, or deletion.

detect

AU-13 monitors systems for unauthorized disclosure of sensitive information, such as private keys logged in application logs, enabling identification of the exposure.

References