CVE-2025-62820
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-23

Last updated on: 2025-10-27

Assigner: MITRE

Description
Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-23
Last Modified
2025-10-27
Generated
2026-06-16
AI Q&A
2025-10-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62820
EUVD
EUVD-2025-35657
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
slack nebula 1.9.7
slack nebula 1.9.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-420 The product protects a primary channel, but it does not use the same level of protection for an alternate channel.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62820 is a vulnerability in Slack Nebula VPN software before version 1.9.7 where the handling of CIDR (Classless Inter-Domain Routing) in some configurations was incorrect. Specifically, the software mishandled the HostInfo.remoteCidr field, causing it to accept a broader range of IP addresses than intended within the Nebula network. This flaw allowed a malicious or compromised node to spoof arbitrary source IP addresses within the VPN network by exploiting improper CIDR construction and firewall rules, potentially bypassing inbound firewall restrictions. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an attacker with a compromised or malicious node certificate to spoof any IP address within the Nebula VPN network. This can lead to unauthorized access, injection of arbitrary UDP packets, or disruption of TCP connections by sending forged TCP RST packets. Essentially, it compromises network security and integrity by bypassing firewall restrictions and enabling IP spoofing attacks within the VPN. [2]

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized source IP addresses within the Nebula VPN network, especially those that fall outside the expected single IP address assigned per certificate but within a broader subnet. Detection involves inspecting inbound firewall rules and network traffic for signs of IP spoofing or packets originating from unexpected IPs within the Nebula network. Specific commands are not provided in the resources, but network administrators should check firewall logs and use packet capture tools (e.g., tcpdump or Wireshark) to identify packets with source IPs that should be restricted. Additionally, reviewing the Nebula hostmap configuration and certificate IP assignments for improper CIDR ranges can help detect the issue. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading Nebula VPN to version 1.9.7 or later, where the CIDR construction logic has been corrected to restrict VPN IP addresses strictly to those issued in certificates. This update fixes the improper CIDR prefix length calculation that allowed overly permissive inbound firewall rules. Until the upgrade can be applied, administrators should consider tightening firewall rules manually to restrict source IP addresses to known valid single IPs per certificate and monitor for suspicious network activity indicative of IP spoofing within the Nebula network. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62820. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart