15-Year-Old strongSwan Flaw Lets Attackers Crash VPNs via Integer Underflow

Summary

A critical integer underflow vulnerability in strongSwan's EAP-TTLS plugin (CVE-2026-25075) affects versions 4.5.0 through 6.0.4, allowing remote attackers to trigger memory corruption and crash VPN services. The flaw manifests as a two-phase attack where an initial malicious message corrupts the heap, and a subsequent connection triggers the daemon collapse, making attribution difficult. Immediate upgrade to version 6.0.5 or plugin disablement is recommended for affected deployments.

Full text

Security VPN15-Year-Old strongSwan Flaw Lets Attackers Crash VPNs via Integer Underflow 15-year-old strongSwan flaw allows attackers to crash VPNs via integer underflow bug, affecting EAP-TTLS plugin and multiple versions worldwide. byDeeba AhmedMarch 30, 20262 minute read A 15-year-old flaw in strongSwan’s EAP-TTLS plugin could let hackers knock VPNs offline. Research from Bishop Fox reveals how a simple math error leads to massive memory corruption and service collapse. For over a decade and a half, a quiet but serious security flaw has been sitting inside strongSwan, a popular open-source software used by businesses to run their VPNs. This weakness, which dates back to versions from 15 years ago, could allow an outsider to knock a company’s entire secure network offline. The vulnerability was recently detailed by the research firm Bishop Fox in research shared with Hackread.com. This report followed an official advisory from strongSwan released on March 23, 2026, regarding a bug tracked as CVE-2026-25075, which impacts nearly every version of the software between 4.5.0 and 6.0.4. Why the Underflow Matters The problem lies with a mathematical error known as an integer underflow. To explain it simply, software has to calculate how much memory to set aside for incoming data by taking the total size of a message and subtracting the size of the header, the part of the data that explains what the message is. In strongSwan’s case, the software expects an 8-byte header, and if a hacker sends a tiny message, say only 1 byte, the software still tries to subtract 8 from it. Because of how computer logic works, subtracting a large number from a smaller one does not always result in a negative number and may wrap around to a huge positive value. This calculation causes the server to trigger malloc, the system’s way of allocating memory, to try and reserve an impossible 18 exabytes of space, far more than any server actually has.. The Two-Phase Ghost Attack What makes this discovery particularly interesting is that the VPN might not crash the moment it gets hit, creating what feels like a ghost in the system. According to researchers, “the actual ‘Blue Screen’ or daemon crash happens later when a second connection is made.” Further probing revealed a two-step disaster. The first malicious message enters and confuses the server’s memory management, known as the heap. The server keeps running for a short time, but the next person who tries to connect triggers the actual collapse of the charon daemon, the background engine that keeps the VPN alive. This delay makes it incredibly difficult for IT teams to trace the crash back to the original attack. Watch as researchers demonstrate the attack Protecting Your Network For an attack to work, several conditions must be met. The server must be running a vulnerable version, have the EAP-TTLS plugin enabled, and be configured to accept IKEv2 connections. If your company uses these settings, the fix is relatively simple but urgent; you should upgrade to version 6.0.5 or higher immediately to close the loophole. Bishop Fox has also developed a testing tool that triggers the math error without actually crashing the server, allowing admins to see if they are at risk without losing their connection. If you do not need the EAP-TTLS feature at all, experts suggest turning that plugin off to keep you safe. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Bishop FoxCybersecurityGhost BugstrongSwanVPNVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Hacking News SAS Airlines Hit by Cyber Attack The cyber attack took place on Tuesday, February 14th evening, which forced the SAS Airlines’ website and app to go offline and be inaccessible to passengers. byDeeba Ahmed Security Apple News iPhone Technology U.K. Police don’t pay to unlock iPhones, they mug you while phone is unlocked If this had happened in the United States, the FBI would have spent millions of dollars from taxpayers… byRyan De Souza Read More Malware Security Popular Android Screen Recorder iRecorder App Revealed as Trojan According to ESET, iRecorder was infected with a variant of AhMyth, which is an open-source remote administration tool capable of extracting sensitive data from Android devices. byWaqas Read More Security Cyber Attacks Malware SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm Darktrace uncovers the first exploit of a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy Auto-Color backdoor malware. Learn how this evasive Linux RAT targets systems for remote code execution and how AI-powered defence thwarts multi-stage attacks. byDeeba Ahmed

Indicators of Compromise

• cve — CVE-2026-25075