CVE-2025-3908

Summary

The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary directory which will change the ownership and permissions of that destination directory.

Affected Software

VendorProductVersion RangeStatus
OpenVPNOpenVPN 3 Linuxv20 <= v24affected

Weaknesses

  • CWE-59: CWE-59 Improper Link Resolution Before File Access ('Link Following')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References