CVE-2017-7478

HIGH

OpenVPN >=2.3.12 - DoS

Title source: llm

Description

OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet. Note that this issue is fixed in 2.3.15 and 2.4.2.

Exploits (1)

exploitdb WORKING POC VERIFIED

by QuarksLab · pythondosmultiple

https://www.exploit-db.com/exploits/41993

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/41993/

[Vendor Advisory] https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1038473

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/98444

Scores

CVSS v3 7.5

EPSS 0.0460

EPSS Percentile 89.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-20 CWE-617

Status published

Products (6)

openvpn/openvpn 2.3.12

openvpn/openvpn 2.3.13

openvpn/openvpn 2.3.14

openvpn/openvpn 2.4.0 (6 CPE variants)

openvpn/openvpn 2.4.1

OpenVPN Technologies, Inc/openvpn 2.3.12 and newer

Published May 15, 2017

Tracked Since Feb 18, 2026