pFsense 2.81 and OpenVPN vulnerability CVE-2025-13086
-
I'm not seeing any patches for this vulnerability, which affects OpenVPN 2.6.0 to 2.7_rc1
https://www.cve.org/CVERecord?id=CVE-2025-13086
My install is...
2.8.1-RELEASE (amd64)
built on Fri Oct 24 16:53:00 BST 2025
FreeBSD 15.0-CURRENTopenvpn --version
reports OpenVPN 2.6.14 amd64-portbld-freebsd15.0system package manager shows system_patches is up-to-date at 2.2.24
-
The
@sheepthief said in pFsense 2.81 and OpenVPN vulnerability CVE-2025-13086:system package manager
( GUI System > Patches )
can 'patch' system scripy (text) files. Not binaries or pfSense (FreeBSD) packages.Fire up the console or SSH access and use option 13.
While there, use option 8 also and thenpkg update pkg upgradeIf Netgate made an upgrade to their 'OpenVPN' (pfSense) package, it will be made avaible using these commands.
And don't worry about Netgate knowing or not that there is an CVE out there. As one of world's leading firewall author (free publicity ^^), there were already aware before the CVE went public. "security" is part of their business model.
( Btw : I'm just another pfSense user like you ) -
More specifically:
OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 are affected.We are working on it.....
-
@stephenw10 said in pFsense 2.81 and OpenVPN vulnerability CVE-2025-13086:
We are working on it.....
Would the update then be available through reinstall the openvpn-client-export package?
pfSense Gold subscription
-
No it would likely be via a CLI pkg update as @Gertjan mentioned above.
-
@stephenw10 I didn't know that!
I learned do updates only via pfSense updater or package manager to avoid system damage... -
Not the "openvpn-client-export package" as that's a GUI script that one 'just' collects client related OpenVPN stuff ans creates a dot ovpn file.
I didn't check what the issue actually it, but it looks like the binary "openvpn" needs to be recompiled.
The pfSense OpenVPN GUI package will probably not change, just the core 'FreeBSD' (pfSense) openvpn binary package that contains the binaries and related tools.
To upgrade : as shown above.If you want to receive a 'mail' (or any other notification type of your choice), do this : Auto update check, checks for updates to base system + packages and sends email alerts.
You will not only receive a notification if a new pfSense release is aviable, but also pfSense GUI packages and even 'system' packages like, a couple of days ago : unbound.For example, right now, I get a notif every day (received this morning) that :
pfSense version 25.11 is available acme: 1.0 ==> 1.0.3 System_Patches: 2.2.23 ==> 2.2.24 An update to pfSense version 25.11 is available The following updates are available and can be installed using System > Package Manager: acme: 1.0 ==> 1.0.3 System_Patches: 2.2.23 ==> 2.2.24 Some packages are part of the base system and will not show up in Package Manager. If any such updates are listed below, run `pkg upgrade` from the shell to install them: pfSense-pkg-System_Patches: 2.2.23 -> 2.2.24 [pfSense] pfSense-pkg-acme: 1.0 -> 1.0.3 [pfSense]edit : btw : this message tells me implicitly that I should stop upgrading packages.
That I should upgrade to 25.11 first.
During the pfSense 25.11, all the new avaible package will get pulled in. -
Yes since this is a base pkg it's a special case.
-
@Gertjan said in pFsense 2.81 and OpenVPN vulnerability CVE-2025-13086:
Not the "openvpn-client-export package" as that's a GUI script that one 'just' collects client related OpenVPN stuff ans creates a dot ovpn file.
I pretty sure it updated also (rare) the OpenVPN binary in the past, but couldn't remember me which issue/thread it was...
-
@stephenw10 said in pFsense 2.81 and OpenVPN vulnerability CVE-2025-13086:
Yes since this is a base pkg it's a special case.
@stephenw10 can you update this thread a soon there is a update available?
How can I check for updates in the terminal?pfSense Gold subscription
-
@stephenw10 said in pFsense 2.81 and OpenVPN vulnerability CVE-2025-13086:
More specifically:
OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 are affected.We are working on it.....
Thanks for the replies everyone, and glad to know it's being worked on.
Meantime I'll look to see if I can switch to using IPSec instead (I've a bit of complex setup with multiple captive portals tunnelling back to a centralised VPN server so though I've been meaning to switch to IPSec for some years I've kept putting it off).
-
pfSense Plus 25.11 has openvpn 2.6.16 version, so no problems there.
-
@slu said in pFsense 2.81 and OpenVPN vulnerability CVE-2025-13086:
@stephenw10 can you update this thread a soon there is a update available?
Yes I can.
-
OK it's available now.
It will be pulled in if you reinstall the client export package.
Or you can run at the CLI:
pkg upgrade openvpn -
@stephenw10 said in pFsense 2.81 and OpenVPN vulnerability CVE-2025-13086:
OK it's available now.
Thank you @stephenw10 works as expected by the reinstall of the openvpn-export.
-
Although I don't use OpenVPN, received the following email message from the pkg_check.php script on 2.8.1
pfSense - Notification
12:00 AM
Notifications in this message: 1
ニニニニニニニニニニニニニニニニニニニニニ
00:00:08 Some packages are part of the base system and will not show up in Package Manager. If any such updates are listed below, run 'pkg upgrade' from the shell to install them: openvpn: 2.6.14 -> 2.6.16 [pfsense] -
@elvisimprsntr said in pFsense 2.81 and OpenVPN vulnerability CVE-2025-13086:
Although I don't use OpenVPN
Use ?
Look at the menu of pfSense :
Even if you don't use it, it's still part of pfSense 'base'.
-
Right. But if you don't have it enabled then DOS CVEs aren't really an issue.
-
@Gertjan I was just reporting if you run the pkg_check.php script as a cron, you will automagically get a notification when base package updates are released.
Just wish there were more frequent official updates to Tailscale, but It might be impossible to keep up given the frequency of changes.
-
@stephenw10 Disk Operating System? Or denial-of-service?
