Description:
OpenVPN Access Server uses the OpenVPN 2 codebase at its core for VPN connections. OpenVPN Access Server versions 2.11.0 through 2.14.2 contain a copy of OpenVPN 2.6 that has a vulnerability in it. This concerns a remote denial-of-service (DoS) attack.
In order to trigger the remote denial-of-service attack, the server must be running with TLS Crypt v2 configured, which is the default configuration with OpenVPN Access Server. Additionally an attacker would need either a valid TLS Crypt v2 client key which can be part of a connection profile, or be able to monitor and manipulate the TLS Crypt v2 handshake network traffic itself while it is happening, and alter it in a specific way to cause a server-side crash.
At no point is the integrity or confidentiality of data, or encryption/authentication compromised, and there is also no escalation path to do remote execution or privilege escalation. It is purely a denial-of-service vulnerability.
We strongly recommend that if you use OpenVPN Access Server version 2.11.0 through 2.14.2, that you upgrade to the latest version of Access Server to address this vulnerability. Version 2.14.3 and newer contains the fix for this vulnerability.
Resolution:
Update your OpenVPN Access Server to the latest version as soon as possible, which contains the fixes for these vulnerabilities. Version 2.14.3 and newer contains the fix for this vulnerability. The procedure on how to upgrade Access Server can be found here: Keeping OpenVPN Access Server Updated. The CVE published for this is CVE-2025-2704.