{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-39312/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-39312"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dos","softethervpn","cve-2026-39312","l2tp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSoftEtherVPN is an open-source, cross-platform, multi-protocol VPN program. A pre-authentication denial-of-service vulnerability, identified as CVE-2026-39312, affects SoftEther VPN Developer Edition 5.2.5188 and likely earlier versions. Disclosed on April 7, 2026, this vulnerability allows an unauthenticated remote attacker to crash the \u003ccode\u003evpnserver\u003c/code\u003e process, effectively terminating all active VPN sessions. The attack vector involves sending a single malformed EAP-TLS packet over raw L2TP, specifically UDP port 1701. Exploitation of this vulnerability requires no prior authentication, making it easily exploitable and posing a significant risk to organizations relying on SoftEtherVPN for secure remote access. The impact can range from temporary service disruption to complete VPN infrastructure unavailability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable SoftEtherVPN server (version 5.2.5188 or earlier) exposed over UDP port 1701.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malformed EAP-TLS packet.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted EAP-TLS packet over raw L2TP (UDP/1701) to the target VPN server.\u003c/li\u003e\n\u003cli\u003eThe SoftEtherVPN server receives the malformed packet.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the \u003ccode\u003evpnserver\u003c/code\u003e process attempts to process the malformed packet.\u003c/li\u003e\n\u003cli\u003eThe processing of the malformed packet triggers a memory allocation issue (CWE-789), causing the \u003ccode\u003evpnserver\u003c/code\u003e process to crash.\u003c/li\u003e\n\u003cli\u003eAll active VPN sessions are terminated abruptly as the \u003ccode\u003evpnserver\u003c/code\u003e process is no longer running.\u003c/li\u003e\n\u003cli\u003eLegitimate users are disconnected and unable to establish new VPN connections, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39312 results in a denial-of-service condition, disrupting VPN services and preventing legitimate users from accessing internal resources. The vulnerability allows an unauthenticated attacker to remotely crash the VPN server, potentially impacting any organization using SoftEtherVPN for remote access. The impact is a complete outage of VPN services until the \u003ccode\u003evpnserver\u003c/code\u003e process is manually restarted, leading to potential loss of productivity and business disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SoftEtherVPN to a version later than 5.2.5188 to patch CVE-2026-39312.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual or malformed EAP-TLS packets on UDP port 1701, using the \u0026ldquo;Detect SoftEtherVPN Malformed EAP-TLS Packet\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on UDP port 1701 to mitigate the impact of a potential denial-of-service attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T17:16:36Z","date_published":"2026-04-07T17:16:36Z","id":"/briefs/2026-04-softether-dos/","summary":"SoftEtherVPN version 5.2.5188 and earlier is vulnerable to a pre-authentication denial-of-service attack where an unauthenticated remote attacker can crash the vpnserver process by sending a malformed EAP-TLS packet over raw L2TP (UDP/1701), terminating all active VPN sessions.","title":"SoftEtherVPN Pre-Authentication Denial-of-Service Vulnerability (CVE-2026-39312)","url":"https://feed.craftedsignal.io/briefs/2026-04-softether-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-39312","version":"https://jsonfeed.org/version/1.1"}