CVE-2025-11955
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2025-10-27

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Incorrect validation of OCSP certificates vulnerability in TheGreenBow VPN, versions 7.5 and 7.6. During the IKEv2 authentication step, the OCSP-enabled VPN client establishes the tunnel even if it does not receive an OCSP response or if the OCSP response signature is invalid.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2025-10-27
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11955
EUVD
EUVD-2025-36160
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
thegreenbow vpn_client 7.5
thegreenbow vpn_client 7.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-299 The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in TheGreenBow VPN Client versions 7.5 and 7.6 involves incorrect validation of OCSP (Online Certificate Status Protocol) certificates during the IKEv2 authentication step. The VPN client establishes a tunnel even if it does not receive an OCSP response or if the OCSP response signature is invalid, which means it does not properly verify whether a certificate has been revoked. This improper validation can allow the VPN to accept revoked or unverified certificates, compromising security. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing the VPN client to establish secure tunnels without properly verifying the validity of certificates. This means an attacker could potentially use revoked or invalid certificates to gain unauthorized access through the VPN, leading to security breaches and exposure of sensitive data. [1, 2]

Mitigation Strategies

To mitigate this vulnerability, immediately disable the OCSP feature in TheGreenBow VPN Client versions 7.5 and 7.6. Instead, configure the VPN client to use Certificate Revocation Lists (CRLs) for certificate revocation verification. Additionally, upgrade to version 7.7 or later where the vulnerable OCSP validation feature has been removed. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11955. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart