Report: Increasing Number of Vulnerabilities in OpenVPN

OpenVPN, a popular open source virtual private network (VPN) system integrated into millions of routers, firmware, PCs, mobile devices and other smart devices, is leaving users open to a growing list of threats, according to a new report from Microsoft.

The company released a security report detailing some of the latest holes in the open source service, and is warning that many of these vulnerabilities could be used in conjunction "to achieve an attack chain consisting of remote code execution (RCE) and local privilege escalation (LPE)." The report was compiled after Microsoft discussed a handful of new OpenVPN holes during a session at Black Hat USA 2024.

Microsoft initially reported these vulnerabilities to OpenVPN in March 2024 through Coordinated Vulnerability Disclosure (CVD) via the Microsoft Security Vulnerability Research (MSVR) team. Following this, Microsoft and OpenVPN worked together to patch the vulnerabilities, culminating in the release of OpenVPN 2.6.10.   

The discovered vulnerabilities include:

  • CVE-2024-27459: Affects the openvpnserv component, leading to potential denial of service (DoS) and local privilege escalation (LPE) in Windows.
  • CVE-2024-24974: Also within openvpnserv, this vulnerability allows unauthorized access to Windows.
  • CVE-2024-27903: This flaw can result in remote code execution (RCE) on Windows and LPE or data manipulation on Android, iOS, macOS and BSD.
  • CVE-2024-1305: Affects the Windows TAP driver, leading to a potential DoS on Windows.

"All the identified vulnerabilities can be exploited once an attacker gains access to a user's OpenVPN credentials, which could be accomplished using credential theft techniques, such as purchasing stolen credentials on the dark web, using info-stealing malware, or sniffing network traffic to capture NTLMv2 hashes and then using cracking tools like HashCat or John the Ripper to decode them," wrote the Microsoft Threat Intelligence team.

What's interesting is that the discovered vulnerabilities all can be found on the client side. Microsoft stressed that OpennVPN's server is secure, and discovered no holes on that side of the equation.

Microsoft reported these vulnerabilities to OpenVPN in March 2024 through Coordinated Vulnerability Disclosure (CVD) via the Microsoft Security Vulnerability Research (MSVR) team. Following this, Microsoft and OpenVPN worked together to patch the vulnerabilities, culminating in the release of OpenVPN 2.6.10.  However, Microsoft said that users are strongly urged to apply the latest security updates to mitigate potential risks as soon as available.

Microsoft advises organizations using OpenVPN to verify their versions and apply the necessary patches immediately. Ensuring strong credential management and limiting access to VPN services can further mitigate potential risks.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

  • college students in a classroom focus on a silver laptop, with a neural network diagram on the monitor in the background

    Report: 93% of Students Believe Gen AI Training Belongs in Degree Programs

    The vast majority of today's college students — 93% — believe generative AI training should be included in degree programs, according to a recent Coursera report. What's more, 86% of students consider gen AI the most crucial technical skill for career preparation, prioritizing it above in-demand skills such as data strategy and software development.

  • black analog alarm clock sits in front of a digital background featuring a glowing padlock symbol and cybersecurity icons

    The Clock Is Ticking: Higher Education's Big Push Toward CMMC Compliance

    With the United States Department of Defense's Cybersecurity Maturity Model Certification 2.0 framework entering Phase II on Dec. 16, 2025, institutions must develop a cybersecurity posture that's resilient, defensible, and flexible enough to keep up with an evolving threat landscape.

  • server racks, a human head with a microchip, data pipes, cloud storage, and analytical symbols

    OpenAI, Oracle Expand AI Infrastructure Partnership

    OpenAI and Oracle have announced they will develop an additional 4.5 gigawatts of data center capacity, expanding their artificial intelligence infrastructure partnership as part of the Stargate Project, a joint venture among OpenAI, Oracle, and Japan's SoftBank Group that aims to deploy 10 gigawatts of computing capacity over four years.

  • laptop displaying a digital bookshelf of textbooks on its screen

    Collaboration Brings OpenStax Course Materials to Microsoft Learning Zone

    Open education resources provider OpenStax has partnered with Microsoft to integrate its digital library of 80 openly licensed titles into Microsoft Learning Zone, an on-device AI tool for generating interactive lessons and learning activities.