CVE-2025-11955
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-10-27
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thegreenbow | vpn_client | 7.5 |
| thegreenbow | vpn_client | 7.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-299 | The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in TheGreenBow VPN Client versions 7.5 and 7.6 involves incorrect validation of OCSP (Online Certificate Status Protocol) certificates during the IKEv2 authentication step. The VPN client establishes a tunnel even if it does not receive an OCSP response or if the OCSP response signature is invalid, which means it does not properly verify whether a certificate has been revoked. This improper validation can allow the VPN to accept revoked or unverified certificates, compromising security. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing the VPN client to establish secure tunnels without properly verifying the validity of certificates. This means an attacker could potentially use revoked or invalid certificates to gain unauthorized access through the VPN, leading to security breaches and exposure of sensitive data. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately disable the OCSP feature in TheGreenBow VPN Client versions 7.5 and 7.6. Instead, configure the VPN client to use Certificate Revocation Lists (CRLs) for certificate revocation verification. Additionally, upgrade to version 7.7 or later where the vulnerable OCSP validation feature has been removed. [1, 2]