CVE-2026-25998
Received Received - Intake
AES-CTR Key Reuse in strongMan Allows Credential Decryption

Publication date: 2026-02-19

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key. Together with an initialization vector (IV), a key stream is generated to encrypt the data in the database fields. But because strongMan did not generate individual IVs, every database field was encrypted using the same key stream. An attacker that has access to the database can use this to recover the encrypted credentials. In particular, because certificates, which have to be considered public information, are also encrypted using the same mechanism, an attacker can directly recover a large chunk of the key stream, which allows them to decrypt basically all other secrets especially ECDSA private keys and EAP secrets, which are usually a lot shorter. Version 0.2.0 fixes the issue by switching to AES-GCM-SIV encryption with a random nonce and an individually derived encryption key, using HKDF, for each encrypted value. Database migrations are provided to automatically re-encrypt all credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25998
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
strongswan strongman 0.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1204 The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.
CWE-323 Nonces should be used for the present occasion and only once.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in strongMan, a management interface for strongSwan VPN, arises from how it encrypts credentials stored in its database. It used AES in CTR mode with a global database key but failed to generate unique initialization vectors (IVs) for each encrypted field. This caused every database field to be encrypted with the same key stream.

Because certificates (which are public) are also encrypted this way, an attacker with database access can recover a large part of the key stream by analyzing the encrypted certificates. This enables the attacker to decrypt other sensitive credentials such as ECDSA private keys and EAP secrets, which are shorter and more vulnerable.

The issue is fixed in version 0.2.0 by switching to AES-GCM-SIV encryption with a random nonce and individually derived encryption keys for each value, along with database migrations to re-encrypt all credentials.

Impact Analysis

If an attacker gains access to the database, they can exploit this vulnerability to decrypt sensitive credentials stored by strongMan, including private keys and EAP secrets.

This can lead to unauthorized access to VPN connections, impersonation, and potential compromise of secure communications protected by these credentials.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade strongMan to version 0.2.0 or later.

Version 0.2.0 fixes the issue by switching to AES-GCM-SIV encryption with a random nonce and an individually derived encryption key for each encrypted value.

Additionally, apply the provided database migrations to automatically re-encrypt all credentials securely.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart