{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13751", "assignerOrgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e", "state": "PUBLISHED", "assignerShortName": "OpenVPN", "dateReserved": "2025-11-26T16:51:49.203Z", "datePublished": "2025-12-03T16:22:35.771Z", "dateUpdated": "2025-12-12T13:56:20.684Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e", "shortName": "OpenVPN", "dateUpdated": "2025-12-12T13:56:20.684Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-775", "description": "CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-841", "description": "CWE-841: Improper Enforcement of Behavioral Workflow", "type": "CWE"}]}], "affected": [{"vendor": "OpenVPN", "product": "OpenVPN", "platforms": ["Windows"], "versions": [{"status": "affected", "version": "2.5.0", "lessThanOrEqual": "2.6.16", "versionType": "semver"}, {"status": "affected", "version": "2.7_alpha1", "lessThanOrEqual": "2.7_rc2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service."}], "references": [{"url": "https://community.openvpn.net/Security%20Announcements/CVE-2025-13751", "tags": ["vendor-advisory"]}, {"url": "https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00154.html", "tags": ["release-notes"]}, {"url": "https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00153.html", "tags": ["release-notes"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "CLEAR", "baseSeverity": "LOW", "baseScore": 1.3, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Clear"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-03T16:32:17.086600Z", "id": "CVE-2025-13751", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-03T16:32:26.329Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13751", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-03T16:32:17.086600Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-03T16:32:23.057Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.3, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Clear", "exploitMaturity": "UNREPORTED", "providerUrgency": "CLEAR", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenVPN", "product": "OpenVPN", "versions": [{"status": "affected", "version": "2.5.0", "versionType": "semver", "lessThanOrEqual": "2.6.16"}, {"status": "affected", "version": "2.7_alpha1", "versionType": "semver", "lessThanOrEqual": "2.7_rc2"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://community.openvpn.net/Security%20Announcements/CVE-2025-13751", "tags": ["vendor-advisory"]}, {"url": "https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00154.html", "tags": ["release-notes"]}, {"url": "https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00153.html", "tags": ["release-notes"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-775", "description": "CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-841", "description": "CWE-841: Improper Enforcement of Behavioral Workflow"}]}], "providerMetadata": {"orgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e", "shortName": "OpenVPN", "dateUpdated": "2025-12-12T13:56:20.684Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13751", "state": "PUBLISHED", "dateUpdated": "2025-12-12T13:56:20.684Z", "dateReserved": "2025-11-26T16:51:49.203Z", "assignerOrgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e", "datePublished": "2025-12-03T16:22:35.771Z", "assignerShortName": "OpenVPN"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service."}], "id": "CVE-2025-13751", "lastModified": "2025-12-12T14:15:50.597", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "CLEAR", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@openvpn.net", "type": "Secondary"}]}, "published": "2025-12-03T17:15:49.913", "references": [{"source": "security@openvpn.net", "url": "https://community.openvpn.net/Security%20Announcements/CVE-2025-13751"}, {"source": "security@openvpn.net", "url": "https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00153.html"}, {"source": "security@openvpn.net", "url": "https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00154.html"}], "sourceIdentifier": "security@openvpn.net", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}, {"lang": "en", "value": "CWE-775"}, {"lang": "en", "value": "CWE-841"}], "source": "security@openvpn.net", "type": "Secondary"}]}

{"bugzilla": {"description": "OpenVPN: OpenVPN: Local denial of service vulnerability in interactive service agent", "id": "2418624", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418624"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "(CWE-770|CWE-775|CWE-841)", "details": ["Interactive service agent in OpenVPN version 2.5.0 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.", "A flaw was found in OpenVPN. This vulnerability allows a local denial of service via a local authenticated user connecting to the interactive service agent on Windows and triggering an error."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-13751", "public_date": "2025-12-03T16:22:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-13751\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-13751\nhttps://community.openvpn.net/Security%20Announcements/CVE-2025-13751\nhttps://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00153.html\nhttps://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00154.htmlhttps://"], "statement": "This vulnerability is rated Low for Red Hat. The flaw affects the interactive service agent in OpenVPN on Windows, allowing a local authenticated user to trigger a denial of service. Red Hat's OpenVPN packages are typically deployed on Linux systems and do not include the Windows-specific interactive service agent, therefore No Red Hat products or offerings are affected by this vulnerability.", "threat_severity": "Low"}