CVE-2025-25567 – SoftEther VPN 5.02.5187 contains a buffer overf... (How to Fix)

Q: What is the severity of CVE-2025-25567?

CVE-2025-25567 has a CVSS score of 9.8 (CRITICAL). SoftEther VPN 5.02.5187 contains a buffer overflow vulnerability in the UniToStrForSingleChars function within Internat.c. This could allow arbitrary code execution, though the vendor disputes the severity, claiming it only enables local users to attack themselves through the UI. Systems running the vulnerable version are affected.

📋 TL;DR

SoftEther VPN 5.02.5187 contains a buffer overflow vulnerability in the UniToStrForSingleChars function within Internat.c. This could allow arbitrary code execution, though the vendor disputes the severity, claiming it only enables local users to attack themselves through the UI. Systems running the vulnerable version are affected.

💻 Affected Systems

Products:

SoftEther VPN

Versions: 5.02.5187

Operating Systems: Windows, Linux, macOS, FreeBSD, Solaris

Default Config Vulnerable: ⚠️ Yes

Notes: Vendor disputes remote exploitability, claiming only local UI-based self-attack possible.

📦 What is this software?

Vpn by Softether

View all CVEs affecting Vpn →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full system control via arbitrary code execution, potentially leading to complete system compromise and lateral movement.

🟠

Likely Case

Local authenticated user triggers buffer overflow through UI interaction, causing application crash or limited code execution in their own context.

🟢

If Mitigated

With proper network segmentation and least privilege, impact limited to individual user session disruption.

🌐 Internet-Facing: MEDIUM - While CVSS suggests high remote risk, vendor dispute indicates potential limitations to local exploitation.

🏢 Internal Only: HIGH - If exploitable locally, authenticated users could compromise VPN servers from within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Proof-of-concept available in references, but vendor disputes remote exploitability. Likely requires local access or authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Monitor SoftEther VPN website for updates.

🔧 Temporary Workarounds

Restrict Local Access

all

Limit access to SoftEther VPN management interface to trusted users only

Network Segmentation

all

Isolate SoftEther VPN servers from critical network segments

🧯 If You Can't Patch

Implement strict access controls to limit who can interact with the VPN management interface
Monitor for unusual process creation or memory access patterns related to SoftEther VPN

🔍 How to Verify

Check if Vulnerable:

Check SoftEther VPN version via management console or by examining installed version. Version 5.02.5187 is vulnerable.

Check Version:

On Windows: Check Programs and Features. On Linux: softether-vpnserver --version or check package manager.

Verify Fix Applied:

Verify version is updated when patch becomes available. No current fix to verify.

📡 Detection & Monitoring

Log Indicators:

Unusual process crashes of vpnserver/vpnclient
Memory access violation errors in application logs
Multiple failed UI interaction attempts

Network Indicators:

Unusual traffic patterns to/from VPN management ports
Unexpected process spawning from VPN services

SIEM Query:

Process creation where parent process contains 'vpn' AND (command_line contains 'overflow' OR memory_access_violation = true)

📊 Metadata

CVE ID: CVE-2025-25567

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

EPSS Score: 0.17% exploit probability (38.3th percentile)

Published: March 12, 2025

Last Updated: July 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25567, you might also want to check these: