Cyber Posture

CVE-2024-8474

High

Published: 06 January 2025

Published
06 January 2025
Modified
10 June 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0084 74.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8474 is a high-severity Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212) vulnerability in Openvpn Connect. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Private Keys (T1552.004); ranked in the top 25.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Private Keys (T1552.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely remediation of flaws, directly addressing this vulnerability by upgrading OpenVPN Connect to version 3.5.0 where the improper logging of private keys is fixed.

AU-9 Protection of Audit Information partial match
prevent

AU-9 protects audit and application logs containing the exposed clear-text private key from unauthorized access, modification, or deletion.

AU-13 Monitoring for Information Disclosure good match
detect

AU-13 monitors systems for unauthorized disclosure of sensitive information, such as private keys logged in application logs, enabling identification of the exposure.

MITRE ATT&CK Enterprise TechniquesAI

T1552.004 Private Keys Credential Access
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Vulnerability directly exposes private keys via application logs (unsecured credentials).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenVPN Connect before version 3.5.0 can contain the configuration profile's clear-text private key which is logged in the application log, which an unauthorized actor can use to decrypt the VPN traffic

Deeper analysisAI

CVE-2024-8474 is a vulnerability in OpenVPN Connect versions prior to 3.5.0, where the configuration profile's clear-text private key can be logged in the application log. This exposure of sensitive cryptographic material, classified under CWE-212 (Improper Removal of Sensitive Information before Storage or Transfer), allows unauthorized access to the private key. The issue received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with network accessibility and no prerequisites for exploitation.

An attacker with access to the application's logs can extract the clear-text private key from the logged configuration profile. No privileges, user interaction, or special conditions are required, enabling remote exploitation over the network with low complexity. Successful exploitation grants the ability to decrypt VPN traffic protected by that key, potentially exposing sensitive data in transit.

Mitigation is addressed in OpenVPN Connect version 3.5.0, as detailed in the official Android release notes at https://openvpn.net/connect-docs/android-release-notes.html. Security practitioners should upgrade to version 3.5.0 or later and review logs for exposed keys, ensuring proper handling of configuration profiles to prevent similar logging issues.

Details

CWE(s)
CWE-212

Affected Products

openvpn
connect
≤ 3.5.0

CVEs Like This One

CVE-2024-5594Same vendor: Openvpn
CVE-2025-12106Same vendor: Openvpn
CVE-2026-27640Shared CWE-212
CVE-2026-43824Shared CWE-212
CVE-2024-43384Shared CWE-212
CVE-2026-42880Shared CWE-212
CVE-2026-34214Shared CWE-212
CVE-2026-32891Shared CWE-212

References