Users of the OpenVPN VPN client are at risk after a vulnerability was discovered in the software that allows VPN providers to run arbitrary commands on clients' devices. The issue affects program versions from 2.7_alpha1 to 2.7_beta1. Computers running Linux, macOS, and other UNIX-like operating systems are primarily at risk.
The essence of the vulnerability boils down to insufficient validation of data that the client receives from the server upon connection. Maliciously crafted DNS settings could be processed incorrectly by an internal OpenVPN script responsible for network configuration, opening a path for executing malicious code with administrator privileges.
Cybersecurity experts point out that the threat only becomes real when connecting to unverified VPN servers. In such a scenario, an attacker could potentially gain control of the system, copy confidential files, or install unwanted software. The vulnerability, registered as CVE-2025-10680, is rated 8.1 on the CVSS scale, indicating a high severity level, with the attack being possible without the attacker requiring prior authentication.
OpenVPN developers have already responded to the incident and released an updated version, 2.7_beta2, in which the issue was addressed. However, regular users are advised not to install test builds and to wait for the release version.
For users on stable OpenVPN 2.6.x releases, this threat is not relevant. This situation serves as a reminder that using software in active development requires increased attention to security, especially when it comes to tools that handle network traffic.
-
![]()
NVIDIA Urges Graphics Card Owners to Update Drivers Due to Major Security Vulnerability -
![]()
Android Telegram Users at Risk: EvilLoader Vulnerability Still Unpatched -
![]()
Trusted Chrome VPN Extension Exposed as Spyware -
![]()
Unity Found to Have Critical Vulnerability — V Rising Developers Issue Official Statement -
![]()
Fallout Shelter and Other Games Temporarily Pulled from Steam Due to Unity Vulnerability
