CVE-2025-10680

HighRCE

Published: 24 October 2025

Published

24 October 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 41.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10680 is a high-severity OS Command Injection (CWE-78) vulnerability in Openvpn (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws, directly addressing the command injection vulnerability in OpenVPN by applying available patches for affected versions.

CM-6 Configuration Settings good match

prevent

Mandates secure baseline configuration settings that disable or restrict the vulnerable --dns-updown option in OpenVPN.

CM-7 Least Functionality good match

prevent

Restricts system to least functionality by prohibiting unnecessary features like --dns-updown scripts that enable shell command injection via DNS variables.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables arbitrary shell command injection (T1059.004: Unix Shell) on POSIX clients via a malicious OpenVPN server and constitutes exploitation of a remote service (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use

Deeper analysisAI

CVE-2025-10680 is a command injection vulnerability (CWE-78) affecting OpenVPN versions 2.7_alpha1 through 2.7_beta1 on POSIX-based platforms. It arises when the --dns-updown option is enabled, allowing a remote authenticated server to inject shell commands via DNS variables. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impacts on confidentiality, integrity, and availability.

A remote attacker with server authentication privileges can exploit this vulnerability against an OpenVPN client using the affected versions and configuration. By crafting malicious DNS variables during the connection process, the attacker can execute arbitrary shell commands on the client's POSIX-based system. No user interaction is required, and the low attack complexity combined with network accessibility makes it feasible for authenticated adversaries to achieve remote code execution with high-impact consequences.

Mitigation details are provided in official advisories, including the OpenVPN community security announcement at https://community.openvpn.net/Security%20Announcements/CVE-2025-10680 and the mailing list post at https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00149.html, published on 2025-10-24. Security practitioners should consult these sources for patch availability, workarounds, and updated version recommendations.