CVE-2025-62820
BaseFortify
Publication date: 2025-10-23
Last updated on: 2025-10-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| slack | nebula | 1.9.7 |
| slack | nebula | 1.9.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-420 | The product protects a primary channel, but it does not use the same level of protection for an alternate channel. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62820 is a vulnerability in Slack Nebula VPN software before version 1.9.7 where the handling of CIDR (Classless Inter-Domain Routing) in some configurations was incorrect. Specifically, the software mishandled the HostInfo.remoteCidr field, causing it to accept a broader range of IP addresses than intended within the Nebula network. This flaw allowed a malicious or compromised node to spoof arbitrary source IP addresses within the VPN network by exploiting improper CIDR construction and firewall rules, potentially bypassing inbound firewall restrictions. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with a compromised or malicious node certificate to spoof any IP address within the Nebula VPN network. This can lead to unauthorized access, injection of arbitrary UDP packets, or disruption of TCP connections by sending forged TCP RST packets. Essentially, it compromises network security and integrity by bypassing firewall restrictions and enabling IP spoofing attacks within the VPN. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or unauthorized source IP addresses within the Nebula VPN network, especially those that fall outside the expected single IP address assigned per certificate but within a broader subnet. Detection involves inspecting inbound firewall rules and network traffic for signs of IP spoofing or packets originating from unexpected IPs within the Nebula network. Specific commands are not provided in the resources, but network administrators should check firewall logs and use packet capture tools (e.g., tcpdump or Wireshark) to identify packets with source IPs that should be restricted. Additionally, reviewing the Nebula hostmap configuration and certificate IP assignments for improper CIDR ranges can help detect the issue. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Nebula VPN to version 1.9.7 or later, where the CIDR construction logic has been corrected to restrict VPN IP addresses strictly to those issued in certificates. This update fixes the improper CIDR prefix length calculation that allowed overly permissive inbound firewall rules. Until the upgrade can be applied, administrators should consider tightening firewall rules manually to restrict source IP addresses to known valid single IPs per certificate and monitor for suspicious network activity indicative of IP spoofing within the Nebula network. [1, 2]