Cyber Resilience

CVE-2026-25998

High

Published: 19 February 2026

Published
19 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 22.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25998 is a high-severity Reusing a Nonce, Key Pair in Encryption (CWE-323) vulnerability in Strongswan Strongman. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Private Keys (T1552.004); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-28 (Protection of Information at Rest).

Deeper analysis

strongMan, a management interface for strongSwan—an open-source IPsec-based VPN—contains a vulnerability in its credential storage mechanism (CVE-2026-25998). The affected component encrypts database fields storing private keys and EAP secrets using AES in CTR mode with a global database key and a fixed initialization vector (IV), resulting in the same key stream for every field. This reuse allows an attacker with database access to recover the key stream by exploiting publicly known certificates stored in the database, enabling decryption of other secrets.

An attacker who gains read access to the strongMan database can exploit this flaw without privileges (per CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By analyzing encrypted certificates—which are public information—the attacker obtains a significant portion of the key stream. This directly facilitates decryption of shorter secrets, such as ECDSA private keys and EAP secrets, compromising VPN authentication and encryption capabilities.

The strongMan GitHub security advisory recommends upgrading to version 0.2.0, which addresses the issue by adopting AES-GCM-SIV encryption with a random nonce and an individually derived encryption key per value using HKDF. Database migrations are included to automatically re-encrypt all existing credentials. Details are available at https://github.com/strongswan/strongMan/security/advisories/GHSA-88w4-jv97-c8xr.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key.…

more

Together with an initialization vector (IV), a key stream is generated to encrypt the data in the database fields. But because strongMan did not generate individual IVs, every database field was encrypted using the same key stream. An attacker that has access to the database can use this to recover the encrypted credentials. In particular, because certificates, which have to be considered public information, are also encrypted using the same mechanism, an attacker can directly recover a large chunk of the key stream, which allows them to decrypt basically all other secrets especially ECDSA private keys and EAP secrets, which are usually a lot shorter. Version 0.2.0 fixes the issue by switching to AES-GCM-SIV encryption with a random nonce and an individually derived encryption key, using HKDF, for each encrypted value. Database migrations are provided to automatically re-encrypt all credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.004 Private Keys Credential Access
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
Why these techniques?

Vulnerability enables direct recovery of stored private keys (and EAP secrets) via keystream reuse in AES-CTR with fixed IV/global key and known-plaintext certificates; maps to insecure private-key storage access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3099Shared CWE-323
CVE-2026-5446Shared CWE-323
CVE-2025-59870Shared CWE-323
CVE-2026-3559Shared CWE-323
CVE-2022-26083Shared CWE-1204
CVE-2025-47345Shared CWE-323
CVE-2026-5087Shared CWE-1204

Affected Assets

strongswan
strongman
0.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely correction of the encryption flaw in strongMan through vendor-provided patches and upgrades to version 0.2.0.

prevent

Mandates protection of sensitive credentials like private keys and EAP secrets at rest in the database using FIPS-validated cryptographic mechanisms, preventing keystream recovery even if the database is accessed.

prevent

Requires proper cryptographic key establishment and management processes, avoiding the use of global keys and fixed IVs that enable keystream reuse and secret decryption from public certificates.

References