https://feed.craftedsignal.io/tags/openvpn/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 22 Apr 2026 14:29:22 +0000https://feed.craftedsignal.io/briefs/2026-04-openvpn-auth-bypass/Wed, 22 Apr 2026 14:29:22 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openvpn-auth-bypass/A critical authentication bypass vulnerability exists in openvpn-auth-oauth2 versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode; clients that do not support WebAuth/SSO are incorrectly granted VPN access without completing OIDC authentication.OpenVPN-auth-oauth2, a plugin for OpenVPN, is susceptible to an authentication bypass vulnerability in versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode. This flaw allows unauthenticated VPN access for clients that do not support WebAuth/SSO. Specifically, standard OpenVPN clients like the Linux CLI openvpn, which do not advertise WebAuth/SSO support (IV_SSO=webauth), can bypass OIDC authentication and gain full network access. The default management-interface mode is not affected. Successful exploitation grants unauthorized access to the internal network behind the VPN. This vulnerability is addressed in version 1.27.3.

Attack Chain

1. Attacker identifies an OpenVPN server running openvpn-auth-oauth2 in experimental plugin mode (versions 1.26.3 - 1.27.2).
2. Attacker uses a standard OpenVPN client (e.g., Linux openvpn CLI) that does not support WebAuth/SSO.
3. The client initiates a connection to the OpenVPN server, bypassing the expected WebAuth/SSO flow.
4. The openvpn-auth-oauth2 plugin attempts to deny the client by writing “0” to the auth_control_file.
5. The plugin incorrectly returns OPENVPN_PLUGIN_FUNC_SUCCESS to the OpenVPN server.
6. OpenVPN interprets the FUNC_SUCCESS return code as successful authentication, ignoring the “0” in the auth_control_file.
7. The OpenVPN server grants the unauthenticated client full access to the internal network behind the VPN.
8. Attacker gains unauthorized access to internal resources and performs malicious activities such as data exfiltration or lateral movement.

Impact

Successful exploitation of this vulnerability grants unauthenticated attackers full access to the internal network behind the OpenVPN server. This could lead to data breaches, lateral movement within the network, and potential compromise of sensitive systems. The vulnerability affects any deployment using the experimental plugin mode with vulnerable versions. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations.

Recommendation

• Immediately upgrade to openvpn-auth-oauth2 version 1.27.3 to apply the fix described in commit 36f69a6.
• If immediate upgrade is not feasible, switch to the standalone management client mode (the default, non-plugin deployment) as a workaround.
• Monitor OpenVPN server logs for connection attempts from clients that do not support WebAuth/SSO (identified by missing IV_SSO=webauth in the logs) and correlate with network access activity.

]]>criticaladvisoryopenvpnauthentication-bypassvpnhttps://feed.craftedsignal.io/briefs/2026-04-wago-plc-openvpn-rce/Thu, 09 Apr 2026 11:16:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-wago-plc-openvpn-rce/An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC to achieve arbitrary command execution on the device.CVE-2024-1490 describes a critical vulnerability affecting WAGO Programmable Logic Controllers (PLCs). A remote attacker with existing high-privilege access to the PLC’s web-based management interface can exploit the OpenVPN configuration. The vulnerability stems from insufficient input validation within the OpenVPN configuration settings. If the PLC’s OpenVPN setup permits user-defined scripts, a malicious actor can inject arbitrary shell commands. Successful exploitation allows the attacker to execute arbitrary code on the underlying operating system of the WAGO PLC, potentially leading to full device compromise. This vulnerability was reported by CERT VDE and impacts WAGO PLCs that utilize a vulnerable web-based management interface and permit user-defined scripts in their OpenVPN configuration.

Attack Chain

1. The attacker gains initial high-privilege access to the WAGO PLC’s web-based management interface.
2. The attacker navigates to the OpenVPN configuration section within the management interface.
3. The attacker identifies that the OpenVPN configuration allows for user-defined scripts.
4. The attacker crafts a malicious OpenVPN configuration file or injects malicious commands via existing configuration options. This configuration contains embedded shell commands designed for execution on the PLC.
5. The attacker uploads or applies the modified OpenVPN configuration to the WAGO PLC through the web interface.
6. The WAGO PLC processes the OpenVPN configuration, leading to the execution of the attacker-supplied shell commands.
7. The attacker achieves arbitrary code execution on the underlying operating system of the WAGO PLC.
8. The attacker can then use this initial foothold to perform further actions, such as deploying malware, exfiltrating sensitive information, or disrupting industrial processes.

Impact

Successful exploitation of CVE-2024-1490 allows an attacker to execute arbitrary code on a WAGO PLC. This can lead to complete compromise of the device, potentially affecting the industrial processes it controls. An attacker could disrupt operations, manipulate data, or use the compromised PLC as a pivot point for further attacks within the industrial network. The severity of the impact depends on the role of the compromised PLC within the industrial environment, potentially leading to significant financial losses, safety incidents, or reputational damage.

Recommendation

• Restrict access to the WAGO PLC’s web-based management interface by enforcing strong authentication and authorization mechanisms to prevent unauthorized access (refer to CVE-2024-1490).
• Disable or restrict the use of user-defined scripts within the OpenVPN configuration to mitigate the risk of command injection (refer to CVE-2024-1490).
• Monitor web server logs for suspicious activity related to OpenVPN configuration changes, looking for unusual POST requests or configuration parameters (see “rules” section below).
• Implement regular security audits of WAGO PLC configurations, focusing on OpenVPN settings and user-defined scripts (refer to CVE-2024-1490).
• Review and apply the security recommendations provided by CERT VDE in their advisory, available at https://certvde.com/de/advisories/VDE-2024-008.

]]>highadvisorycve-2024-1490wago-plcopenvpnrcecode-injection