Login Sign Up

CVE-2023-27395

9.0 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

A heap-based buffer overflow in SoftEther VPN's WpcParsePacket() function allows remote attackers to execute arbitrary code via specially crafted network packets. This vulnerability affects SoftEther VPN versions 4.41-9782-beta, 5.01.9674, and 5.02. Attackers can exploit this through man-in-the-middle attacks against VPN connections.

💻 Affected Systems

Products:
  • SoftEther VPN Server
Versions: 4.41-9782-beta, 5.01.9674, 5.02
Operating Systems: Windows, Linux, macOS, FreeBSD, Solaris
Default Config Vulnerable: ⚠️ Yes
Notes: All installations running affected versions are vulnerable regardless of configuration.

📦 What is this software?

Vpn by Softether

View all CVEs affecting Vpn →

Vpn by Softether

View all CVEs affecting Vpn →

Vpn by Softether

View all CVEs affecting Vpn →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/administrator privileges, installing persistent backdoors, and pivoting to internal networks.

🟠

Likely Case

Remote code execution leading to VPN server compromise, credential theft, and network eavesdropping on VPN traffic.

🟢

If Mitigated

Limited impact with proper network segmentation and exploit prevention controls, potentially only denial of service.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires man-in-the-middle position but no authentication. Public technical details available in Talos report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.02.5180 or later

Vendor Advisory: https://www.softether.org/9-about/News/904-SEVPN202301

Restart Required: Yes

Instructions:

1. Download latest version from SoftEther website. 2. Stop VPN server service. 3. Install update. 4. Restart VPN server service.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate VPN servers from critical internal networks using firewalls

Disable Vulnerable Versions

linux

Temporarily disable SoftEther VPN until patched

sudo systemctl stop vpnserver
sudo service vpnserver stop

🧯 If You Can't Patch

  • Implement strict network access controls to limit VPN server exposure
  • Deploy intrusion prevention systems with CVE-2023-27395 signatures

🔍 How to Verify

Check if Vulnerable:

Check SoftEther VPN version: On Linux: vpncmd /server localhost /cmd About. On Windows: Check program version in About dialog.

Check Version:

vpncmd /server localhost /cmd About | grep Version

Verify Fix Applied:

Verify version is 5.02.5180 or later using same commands

📡 Detection & Monitoring

Log Indicators:

  • Unusual packet parsing errors
  • VPN server crashes
  • Memory access violation logs

Network Indicators:

  • Malformed WPC packets to VPN server port
  • Unusual traffic patterns to VPN server

SIEM Query:

source="vpnserver" AND (error OR crash OR overflow)

📊 Metadata

CVE ID: CVE-2023-27395
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-122
Published: October 12, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27395, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)