vulnerability
FreeBSD: VID-8604121c-7fc2-11ea-bcac-7781e90b0c8f (CVE-2020-11810): openvpn -- illegal client float can break VPN session for other users
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:N/A:P) | Apr 16, 2020 | Apr 17, 2020 | Jun 15, 2026 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Published
Apr 16, 2020
Added
Apr 17, 2020
Modified
Jun 15, 2026
Description
An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use.
Solutions
freebsd-upgrade-package-openvpnfreebsd-upgrade-package-openvpn-mbedtlsfreebsd-upgrade-package-openvpn-devel
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.