CVE-2026-25998
Published: 19 February 2026
Summary
CVE-2026-25998 is a high-severity Reusing a Nonce, Key Pair in Encryption (CWE-323) vulnerability in Strongswan Strongman. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Private Keys (T1552.004); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct recovery of stored private keys (and EAP secrets) via keystream reuse in AES-CTR with fixed IV/global key and known-plaintext certificates; maps to insecure private-key storage access.
NVD Description
strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key.…
more
Together with an initialization vector (IV), a key stream is generated to encrypt the data in the database fields. But because strongMan did not generate individual IVs, every database field was encrypted using the same key stream. An attacker that has access to the database can use this to recover the encrypted credentials. In particular, because certificates, which have to be considered public information, are also encrypted using the same mechanism, an attacker can directly recover a large chunk of the key stream, which allows them to decrypt basically all other secrets especially ECDSA private keys and EAP secrets, which are usually a lot shorter. Version 0.2.0 fixes the issue by switching to AES-GCM-SIV encryption with a random nonce and an individually derived encryption key, using HKDF, for each encrypted value. Database migrations are provided to automatically re-encrypt all credentials.
Deeper analysisAI
strongMan, a management interface for strongSwan—an open-source IPsec-based VPN—contains a vulnerability in its credential storage mechanism (CVE-2026-25998). The affected component encrypts database fields storing private keys and EAP secrets using AES in CTR mode with a global database key and a fixed initialization vector (IV), resulting in the same key stream for every field. This reuse allows an attacker with database access to recover the key stream by exploiting publicly known certificates stored in the database, enabling decryption of other secrets.
An attacker who gains read access to the strongMan database can exploit this flaw without privileges (per CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By analyzing encrypted certificates—which are public information—the attacker obtains a significant portion of the key stream. This directly facilitates decryption of shorter secrets, such as ECDSA private keys and EAP secrets, compromising VPN authentication and encryption capabilities.
The strongMan GitHub security advisory recommends upgrading to version 0.2.0, which addresses the issue by adopting AES-GCM-SIV encryption with a random nonce and an individually derived encryption key per value using HKDF. Database migrations are included to automatically re-encrypt all existing credentials. Details are available at https://github.com/strongswan/strongMan/security/advisories/GHSA-88w4-jv97-c8xr.
Details
- CWE(s)