CVE-2025-59692

LOW

PureVPN client < September 2025 - Info Disclosure

Title source: llm

Description

PureVPN client applications on Linux through September 2025 mishandle firewalling. They flush the system's existing iptables rules and apply default ACCEPT policies when connecting to a VPN server. This removes firewall rules that may have been configured manually or by other software (e.g., UFW, container engines, or system security policies). Upon VPN disconnect, the original firewall state is not restored. As a result, the system may become unintentionally exposed to network traffic that was previously blocked. This affects CLI 2.0.1 and GUI 2.10.0.

References (1)

[Various Sources] https://anagogistis.com/posts/purevpn-ipv6-leak/

Scores

CVSS v3 3.7

EPSS 0.0003

EPSS Percentile 8.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-669

Status draft

Timeline

Published Sep 18, 2025

Tracked Since Feb 18, 2026