Description:
OpenVPN Access Server uses the OpenVPN 2 codebase at its core for VPN connections. OpenVPN Access Server 2.11.0 through 3.0.1 contain a copy of OpenVPN 2.6 that has a vulnerability in it. This concerns a remote denial-of-service (DoS) attack.
In order to trigger the remote denial-of-service attack, an attacker would need a valid client key which can be part of a connection profile, or be able to monitor and manipulate the handshake network traffic itself while it is happening, and alter it in a specific way to then trigger a state exhaustion and cause the server to stop accepting new connections.
At no point is the integrity or confidentiality of data, or encryption/authentication compromised, and there is also no escalation path to do remote execution or privilege escalation. It is purely a denial-of-service vulnerability.
Resolution:
Update your OpenVPN Access Server to the latest version as soon as possible, which contains the fixes for these vulnerabilities. Version 3.0.2 and newer contains the fix for this vulnerability. The procedure on how to upgrade Access Server can be found here: Keeping OpenVPN Access Server Updated. The CVE published for this is CVE-2025-13086.