CVE-2025-62291 – This vulnerability in strongSwan's eap-mschapv2... (How to Fix)

📋 TL;DR

This vulnerability in strongSwan's eap-mschapv2 plugin allows a malicious EAP-MSCHAPv2 server to trigger an integer underflow and heap-based buffer overflow by sending specially crafted small messages. Attackers could potentially execute arbitrary code or cause denial of service on vulnerable strongSwan clients. This affects strongSwan clients configured to use EAP-MSCHAPv2 authentication.

💻 Affected Systems

Products:

strongSwan

Versions: All versions before 6.0.3

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when strongSwan client is configured to use EAP-MSCHAPv2 authentication method.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on vulnerable strongSwan clients, potentially leading to full system compromise.

🟠

Likely Case

Denial of service (crash) of the strongSwan client process, disrupting VPN connectivity.

🟢

If Mitigated

Limited impact if strongSwan is not configured to use EAP-MSCHAPv2 or if network segmentation prevents access to malicious servers.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the attacker to control an EAP-MSCHAPv2 server that the victim connects to.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.3

Vendor Advisory: https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-%28cve-2025-62291%29.html

Restart Required: Yes

Instructions:

1. Download strongSwan 6.0.3 or later from https://www.strongswan.org/download.html
2. Follow installation instructions for your platform
3. Restart strongSwan services

🔧 Temporary Workarounds

Disable EAP-MSCHAPv2

linux

Remove or disable EAP-MSCHAPv2 authentication method from strongSwan client configuration

# Edit strongSwan configuration (typically /etc/ipsec.conf or /etc/strongswan.conf)
# Remove or comment out any 'eap-mschapv2' references in authentication methods

🧯 If You Can't Patch

Implement network segmentation to restrict which EAP servers clients can connect to
Monitor for unusual authentication attempts or crashes in strongSwan client logs

🔍 How to Verify

Check if Vulnerable:

Check strongSwan version and configuration for EAP-MSCHAPv2 usage

Check Version:

strongswan --version

Verify Fix Applied:

Verify strongSwan version is 6.0.3 or later and EAP-MSCHAPv2 is either disabled or patched

📡 Detection & Monitoring

Log Indicators:

strongSwan client crashes
Authentication failures with EAP-MSCHAPv2
Memory corruption errors in system logs

Network Indicators:

Unusual EAP-MSCHAPv2 authentication attempts
Small (6-8 byte) EAP-MSCHAPv2 messages

SIEM Query:

source="strongswan" AND (event="crash" OR event="segmentation fault" OR message="*eap-mschapv2*")

📊 Metadata

CVE ID: CVE-2025-62291

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-191

EPSS Score: 0.06% exploit probability (17.6th percentile)

Published: January 16, 2026

Last Updated: January 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62291, you might also want to check these: