CVE-2026-25998
Published: 19 February 2026
Summary
CVE-2026-25998 is a high-severity Reusing a Nonce, Key Pair in Encryption (CWE-323) vulnerability in Strongswan Strongman. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Private Keys (T1552.004); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-28 (Protection of Information at Rest).
Deeper analysis
strongMan, a management interface for strongSwan—an open-source IPsec-based VPN—contains a vulnerability in its credential storage mechanism (CVE-2026-25998). The affected component encrypts database fields storing private keys and EAP secrets using AES in CTR mode with a global database key and a fixed initialization vector (IV), resulting in the same key stream for every field. This reuse allows an attacker with database access to recover the key stream by exploiting publicly known certificates stored in the database, enabling decryption of other secrets.
An attacker who gains read access to the strongMan database can exploit this flaw without privileges (per CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By analyzing encrypted certificates—which are public information—the attacker obtains a significant portion of the key stream. This directly facilitates decryption of shorter secrets, such as ECDSA private keys and EAP secrets, compromising VPN authentication and encryption capabilities.
The strongMan GitHub security advisory recommends upgrading to version 0.2.0, which addresses the issue by adopting AES-GCM-SIV encryption with a random nonce and an individually derived encryption key per value using HKDF. Database migrations are included to automatically re-encrypt all existing credentials. Details are available at https://github.com/strongswan/strongMan/security/advisories/GHSA-88w4-jv97-c8xr.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8439
Vulnerability details
strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key.…
more
Together with an initialization vector (IV), a key stream is generated to encrypt the data in the database fields. But because strongMan did not generate individual IVs, every database field was encrypted using the same key stream. An attacker that has access to the database can use this to recover the encrypted credentials. In particular, because certificates, which have to be considered public information, are also encrypted using the same mechanism, an attacker can directly recover a large chunk of the key stream, which allows them to decrypt basically all other secrets especially ECDSA private keys and EAP secrets, which are usually a lot shorter. Version 0.2.0 fixes the issue by switching to AES-GCM-SIV encryption with a random nonce and an individually derived encryption key, using HKDF, for each encrypted value. Database migrations are provided to automatically re-encrypt all credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct recovery of stored private keys (and EAP secrets) via keystream reuse in AES-CTR with fixed IV/global key and known-plaintext certificates; maps to insecure private-key storage access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring identification, reporting, and timely correction of the encryption flaw in strongMan through vendor-provided patches and upgrades to version 0.2.0.
Mandates protection of sensitive credentials like private keys and EAP secrets at rest in the database using FIPS-validated cryptographic mechanisms, preventing keystream recovery even if the database is accessed.
Requires proper cryptographic key establishment and management processes, avoiding the use of global keys and fixed IVs that enable keystream reuse and secret decryption from public certificates.