CVE-2025-54870
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-08-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leakingmemory | vtun-ng | 3.0.18 |
| leakingmemory | vtun-ng | 3.0.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-636 | When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54870 is a vulnerability in the vtun-ng package versions 3.0.12 through 3.0.17 where the encryption modules may fail to initialize properly. Due to insufficient error handling, when this failure occurs, the system can revert to transmitting data in plaintext instead of encrypted form. This compromises the confidentiality of the data being transmitted. The issue is especially triggered when using the blowfish-256 encryption algorithm. The vulnerability is fixed in version 3.0.18, and users are advised to upgrade or avoid blowfish-256 as a workaround. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by exposing your network traffic to interception and eavesdropping because data that is expected to be encrypted may be sent in plaintext if the encryption modules fail to initialize. This loss of confidentiality can lead to sensitive information being disclosed to unauthorized parties, increasing the risk of data breaches and other security incidents. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring vtun-ng traffic for unencrypted (plaintext) data transmissions, especially when using versions 3.0.12 through 3.0.17 and the blowfish-256 encryption algorithm. Since the issue causes fallback to plaintext on encryption initialization failure, network traffic analysis tools like Wireshark or tcpdump can be used to detect unencrypted vtun-ng traffic. Additionally, checking the vtun-ng version installed on your system can help identify if it is vulnerable. Commands to check the version include `vtun-ng --version` or inspecting the package version via your package manager. For network detection, commands like `tcpdump -i <interface> port <vtun-ng-port>` or using Wireshark filters to identify unencrypted vtun-ng traffic can be useful. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading vtun-ng to version 3.0.18 or later, where the vulnerability is fixed. Until the upgrade can be performed, avoid using the blowfish-256 encryption algorithm, as it is guaranteed to trigger the vulnerability. Monitoring logs for encryption initialization errors and ensuring error handling is properly logged can also help in early detection and mitigation. [1]