CVE-2025-13751

Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://community.openvpn.net/Security%20Announcements/CVE-2025-13751	Vendor Advisory
https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00153.html	Mailing List Release Notes
https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00154.html	Mailing List Release Notes

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:openvpn:openvpn:::::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:alpha1:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:alpha2:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:alpha3:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:beta1:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:beta2:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:beta3:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:rc1:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:rc2:::community:::*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

30 Jan 2026, 18:43

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
First Time		Openvpn openvpn Openvpn Microsoft Microsoft windows
CPE		cpe:2.3:a:openvpn:openvpn:2.7:alpha3:::community:::* cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:a:openvpn:openvpn:2.7:rc2:::community:::* cpe:2.3:a:openvpn:openvpn:2.7:alpha1:::community:::* cpe:2.3:a:openvpn:openvpn:2.7:beta2:::community:::* cpe:2.3:a:openvpn:openvpn:2.7:beta1:::community:::* cpe:2.3:a:openvpn:openvpn:::::community:::* cpe:2.3:a:openvpn:openvpn:2.7:beta3:::community:::* cpe:2.3:a:openvpn:openvpn:2.7:alpha2:::community:::* cpe:2.3:a:openvpn:openvpn:2.7:rc1:::community:::*
References	~~() https://community.openvpn.net/Security%20Announcements/CVE-2025-13751 -~~	() https://community.openvpn.net/Security%20Announcements/CVE-2025-13751 - Vendor Advisory
References	~~() https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00153.html -~~	() https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00153.html - Mailing List, Release Notes
References	~~() https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00154.html -~~	() https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00154.html - Mailing List, Release Notes
Summary		(es) El agente de servicio interactivo en OpenVPN desde la versión 2.5.0 hasta la 2.7_rc2 en Windows permite a un usuario local autenticado conectarse al servicio y desencadenar un error, causando una denegación de servicio local.

12 Dec 2025, 14:15

Type	Values Removed	Values Added
Summary	~~(en) Interactive service agent in OpenVPN version 2.5.0 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.~~	(en) Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.
References	~~{'url': 'https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00154.htmlhttps://', 'source': 'security@openvpn.net'}~~	() https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00154.html -

03 Dec 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-03 17:15

Updated : 2026-01-30 18:43

NVD link : CVE-2025-13751

Mitre link : CVE-2025-13751

CVE.ORG link : CVE-2025-13751

JSON object : View

Products Affected

openvpn

openvpn

microsoft

windows

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

CWE-775

Missing Release of File Descriptor or Handle after Effective Lifetime

CWE-841

Improper Enforcement of Behavioral Workflow

5.5 /10