CRITICAL🇵🇱 Wersja polska

CVE-2025-25568

CVSS 9.8v3.1pub. 2025-03-12upd. 2025-07-19

SoftEtherVPN 5.02.5187 is vulnerable to Use after Free in the Command.c file via the CheckNetworkAcceptThread function. NOTE: the Supplier disputes this because the use-after-free is not in the VPN software, but is instead in a separate tool that has no untrusted input and runs under the user's own privileges (it is a stress-testing tool for a networking stack).

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-416 (use-after-free) and consists of improper access to a memory area already freed by the process, which can lead to data corruption or arbitrary code execution. The reported bug is located in the CheckNetworkAcceptThread function in the Command.c file. However, the vendor (SoftEther) maintains that the vulnerability does not occur in the VPN software itself, but in a separate tool used for testing network stack load, which does not process untrusted input data and operates only with the privileges of the user running it.

Impact

If the vulnerability is indeed exploitable, an attacker could potentially gain full control over the vulnerable system through arbitrary code execution (RCE) or privilege escalation. Due to the vendor's dispute regarding the scope of the vulnerability, the actual impact on VPN production environments remains unconfirmed.

Mitigation & patch

Apply patches available from the vendor according to the references. Due to the vendor's dispute regarding the scope of the vulnerability, it is recommended to monitor official SoftEther communications and the CVE-2025-25568.pdf document published by the vendor. Until the dispute is clarified, it is advisable to restrict access to tool components and monitor production environments.

Who is affected

SoftEther VPN version 5.02.5187; according to the vendor, the bug affects only a separate testing tool, not the main VPN component

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Softether Vpn

    APP
    Softether
    5.02.5187
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
MemoryVPN
CWE
References

Related vulnerabilities

CVE-2025-25565CRITICAL9.8PL ✓ten sam produkt

Buffer Overflow w SoftEther VPN – funkcje PtMakeCert i PtMakeCert2048

CVE-2025-25567CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w SoftEther VPN – funkcja UniToStrForSingleChars

CVE-2023-27395CRITICAL9.0ten sam produkt

A heap-based buffer overflow vulnerability exists in the vpnserver WpcParsePacket() functionality of SoftEther...

CVE-2023-23581HIGH7.5ten sam produkt

A denial-of-service vulnerability exists in the vpnserver EnSafeHttpHeaderValueStr functionality of SoftEther ...

CVE-2023-25774HIGH7.5ten sam produkt

A denial-of-service vulnerability exists in the vpnserver ConnectionAccept() functionality of SoftEther VPN 5....