CVE-2025-62291

High

Published: 16 January 2026

Published

16 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62291 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Strongswan (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, directly mandating patching of the strongSwan eap-mschapv2 plugin to version 6.0.3 or later to remediate the integer underflow vulnerability.

SI-10 Information Input Validation partial match

prevent

SI-10 enforces validation of all information inputs to the system, which could reject or sanitize crafted EAP-MSCHAPv2 messages with invalid sizes (6-8 bytes) that trigger the underflow.

SI-16 Memory Protection partial match

prevent

SI-16 implements memory protection mechanisms such as ASLR and non-executable heap memory, mitigating exploitation of the heap-based buffer overflow resulting from the integer underflow.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Integer underflow in client EAP-MSCHAPv2 plugin enables remote heap overflow/RCE when connecting to malicious server (direct client-side exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow.

Deeper analysisAI

CVE-2025-62291 is an integer underflow vulnerability (CWE-191) in the client-side eap-mschapv2 plugin of strongSwan versions prior to 6.0.3. A malicious EAP-MSCHAPv2 server can trigger the issue by sending a crafted message with a size between 6 and 8 bytes, leading to a potential heap-based buffer overflow. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

The attack requires a malicious actor to act as an EAP-MSCHAPv2 server, which the affected strongSwan client connects to over the network. No user privileges or interaction are needed from the attacker or victim, though exploitation demands high complexity. Successful exploitation could allow arbitrary code execution, data corruption, or denial of service on the client system via the heap overflow.

Mitigation involves upgrading to strongSwan 6.0.3 or later, as indicated by the project's GitHub commits and release notes. The official strongSwan blog post details the vulnerability and fix, while Debian LTS announcements provide guidance for affected distributions.