CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-3908: The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary...

6.2 CVSS

Description

The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary directory which will change the ownership and permissions of that destination directory.

Classification

CVE ID: CVE-2025-3908

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.2

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem Types

CWE-59 Improper Link Resolution Before File Access ('Link Following')

Affected Products

Vendor: OpenVPN

Product: OpenVPN 3 Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.16% (scored less or equal to compared to others)

EPSS Date: 2025-06-17 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3908
https://community.openvpn.net/Security%20Announcements/CVE-2025-3908

Timeline

2025-05-19 16:40:11 UTC
CVE

The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary...