{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/openvpn/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openvpn-auth-oauth2"],"_cs_severities":["critical"],"_cs_tags":["openvpn","authentication-bypass","vpn"],"_cs_type":"advisory","_cs_vendors":["jkroepke"],"content_html":"\u003cp\u003eOpenVPN-auth-oauth2, a plugin for OpenVPN, is susceptible to an authentication bypass vulnerability in versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode. This flaw allows unauthenticated VPN access for clients that do not support WebAuth/SSO. Specifically, standard OpenVPN clients like the Linux CLI \u003ccode\u003eopenvpn\u003c/code\u003e, which do not advertise WebAuth/SSO support (\u003ccode\u003eIV_SSO=webauth\u003c/code\u003e), can bypass OIDC authentication and gain full network access. The default management-interface mode is not affected. Successful exploitation grants unauthorized access to the internal network behind the VPN. This vulnerability is addressed in version 1.27.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenVPN server running openvpn-auth-oauth2 in experimental plugin mode (versions 1.26.3 - 1.27.2).\u003c/li\u003e\n\u003cli\u003eAttacker uses a standard OpenVPN client (e.g., Linux \u003ccode\u003eopenvpn\u003c/code\u003e CLI) that does not support WebAuth/SSO.\u003c/li\u003e\n\u003cli\u003eThe client initiates a connection to the OpenVPN server, bypassing the expected WebAuth/SSO flow.\u003c/li\u003e\n\u003cli\u003eThe openvpn-auth-oauth2 plugin attempts to deny the client by writing \u0026ldquo;0\u0026rdquo; to the \u003ccode\u003eauth_control_file\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe plugin incorrectly returns \u003ccode\u003eOPENVPN_PLUGIN_FUNC_SUCCESS\u003c/code\u003e to the OpenVPN server.\u003c/li\u003e\n\u003cli\u003eOpenVPN interprets the \u003ccode\u003eFUNC_SUCCESS\u003c/code\u003e return code as successful authentication, ignoring the \u0026ldquo;0\u0026rdquo; in the \u003ccode\u003eauth_control_file\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe OpenVPN server grants the unauthenticated client full access to the internal network behind the VPN.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to internal resources and performs malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthenticated attackers full access to the internal network behind the OpenVPN server. This could lead to data breaches, lateral movement within the network, and potential compromise of sensitive systems. The vulnerability affects any deployment using the experimental plugin mode with vulnerable versions. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to openvpn-auth-oauth2 version 1.27.3 to apply the fix described in commit \u003ca href=\"https://github.com/jkroepke/openvpn-auth-oauth2/commit/36f69a6c67c1054da7cbfa04ced3f0555127c8f2\"\u003e\u003ccode\u003e36f69a6\u003c/code\u003e\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not feasible, switch to the standalone management client mode (the default, non-plugin deployment) as a workaround.\u003c/li\u003e\n\u003cli\u003eMonitor OpenVPN server logs for connection attempts from clients that do not support WebAuth/SSO (identified by missing \u003ccode\u003eIV_SSO=webauth\u003c/code\u003e in the logs) and correlate with network access activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T14:29:22Z","date_published":"2026-04-22T14:29:22Z","id":"/briefs/2026-04-openvpn-auth-bypass/","summary":"A critical authentication bypass vulnerability exists in openvpn-auth-oauth2 versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode; clients that do not support WebAuth/SSO are incorrectly granted VPN access without completing OIDC authentication.","title":"OpenVPN-auth-oauth2 Authentication Bypass in Plugin Mode","url":"https://feed.craftedsignal.io/briefs/2026-04-openvpn-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2024-1490"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2024-1490","wago-plc","openvpn","rce","code-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2024-1490 describes a critical vulnerability affecting WAGO Programmable Logic Controllers (PLCs). A remote attacker with existing high-privilege access to the PLC\u0026rsquo;s web-based management interface can exploit the OpenVPN configuration. The vulnerability stems from insufficient input validation within the OpenVPN configuration settings. If the PLC\u0026rsquo;s OpenVPN setup permits user-defined scripts, a malicious actor can inject arbitrary shell commands. Successful exploitation allows the attacker to execute arbitrary code on the underlying operating system of the WAGO PLC, potentially leading to full device compromise. This vulnerability was reported by CERT VDE and impacts WAGO PLCs that utilize a vulnerable web-based management interface and permit user-defined scripts in their OpenVPN configuration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial high-privilege access to the WAGO PLC\u0026rsquo;s web-based management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the OpenVPN configuration section within the management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies that the OpenVPN configuration allows for user-defined scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious OpenVPN configuration file or injects malicious commands via existing configuration options. This configuration contains embedded shell commands designed for execution on the PLC.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or applies the modified OpenVPN configuration to the WAGO PLC through the web interface.\u003c/li\u003e\n\u003cli\u003eThe WAGO PLC processes the OpenVPN configuration, leading to the execution of the attacker-supplied shell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the underlying operating system of the WAGO PLC.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use this initial foothold to perform further actions, such as deploying malware, exfiltrating sensitive information, or disrupting industrial processes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-1490 allows an attacker to execute arbitrary code on a WAGO PLC. This can lead to complete compromise of the device, potentially affecting the industrial processes it controls. An attacker could disrupt operations, manipulate data, or use the compromised PLC as a pivot point for further attacks within the industrial network. The severity of the impact depends on the role of the compromised PLC within the industrial environment, potentially leading to significant financial losses, safety incidents, or reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRestrict access to the WAGO PLC\u0026rsquo;s web-based management interface by enforcing strong authentication and authorization mechanisms to prevent unauthorized access (refer to CVE-2024-1490).\u003c/li\u003e\n\u003cli\u003eDisable or restrict the use of user-defined scripts within the OpenVPN configuration to mitigate the risk of command injection (refer to CVE-2024-1490).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to OpenVPN configuration changes, looking for unusual POST requests or configuration parameters (see \u0026ldquo;rules\u0026rdquo; section below).\u003c/li\u003e\n\u003cli\u003eImplement regular security audits of WAGO PLC configurations, focusing on OpenVPN settings and user-defined scripts (refer to CVE-2024-1490).\u003c/li\u003e\n\u003cli\u003eReview and apply the security recommendations provided by CERT VDE in their advisory, available at \u003ca href=\"https://certvde.com/de/advisories/VDE-2024-008\"\u003ehttps://certvde.com/de/advisories/VDE-2024-008\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T11:16:19Z","date_published":"2026-04-09T11:16:19Z","id":"/briefs/2026-04-wago-plc-openvpn-rce/","summary":"An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC to achieve arbitrary command execution on the device.","title":"WAGO PLC OpenVPN Configuration Vulnerability (CVE-2024-1490)","url":"https://feed.craftedsignal.io/briefs/2026-04-wago-plc-openvpn-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Openvpn","version":"https://jsonfeed.org/version/1.1"}