Cyber Resilience

CVE-2025-10680

HighRCE

Published: 24 October 2025

Published
24 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0021 43.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10680 is a high-severity OS Command Injection (CWE-78) vulnerability in Openvpn (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

CVE-2025-10680 is a command injection vulnerability (CWE-78) affecting OpenVPN versions 2.7_alpha1 through 2.7_beta1 on POSIX-based platforms. It arises when the --dns-updown option is enabled, allowing a remote authenticated server to inject shell commands via DNS variables. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impacts on confidentiality, integrity, and availability.

A remote attacker with server authentication privileges can exploit this vulnerability against an OpenVPN client using the affected versions and configuration. By crafting malicious DNS variables during the connection process, the attacker can execute arbitrary shell commands on the client's POSIX-based system. No user interaction is required, and the low attack complexity combined with network accessibility makes it feasible for authenticated adversaries to achieve remote code execution with high-impact consequences.

Mitigation details are provided in official advisories, including the OpenVPN community security announcement at https://community.openvpn.net/Security%20Announcements/CVE-2025-10680 and the mailing list post at https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00149.html, published on 2025-10-24. Security practitioners should consult these sources for patch availability, workarounds, and updated version recommendations.

EU & UK References

Vulnerability details

OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability enables arbitrary shell command injection (T1059.004: Unix Shell) on POSIX clients via a malicious OpenVPN server and constitutes exploitation of a remote service (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-56084Shared CWE-78
CVE-2025-60965Shared CWE-78
CVE-2025-59359Shared CWE-78
CVE-2025-64328Shared CWE-78
CVE-2025-56089Shared CWE-78
CVE-2026-28287Shared CWE-78
CVE-2025-56090Shared CWE-78
CVE-2025-11142Shared CWE-78
CVE-2026-0782Shared CWE-78
CVE-2025-34312Shared CWE-78

Affected Assets

Openvpn
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws, directly addressing the command injection vulnerability in OpenVPN by applying available patches for affected versions.

prevent

Mandates secure baseline configuration settings that disable or restrict the vulnerable --dns-updown option in OpenVPN.

prevent

Restricts system to least functionality by prohibiting unnecessary features like --dns-updown scripts that enable shell command injection via DNS variables.

References