Drake C.

I am a penetration tester and security researcher.

less than 1 minute read

Summary

SoftEtherVPN 5.02.5187 is vulnerable to Use after Free in the Command.c file via the CheckNetworkAcceptThread function.

To exploit the vulnerability, an attacker must run multiple instances of the vpncmd binary file and utilize the VPN Tools check function to cause a stack use after scope exception.

Details:

A stack-user-after-scope occurs in the CheckNetworkAcceptThread function at line 85 at a memory address on the stack of thread T2 at offset 96 in the frame of CheckNetworkListenThread.

void CheckNetworkAcceptThread(THREAD *thread, void *param)
...
	CHECK_NETWORK_2 *c = (CHECK_NETWORK_2 *)param;
...
}

void CheckNetworkListenThread(THREAD *thread, void *param)
...
			CHECK_NETWORK_2 c;
			THREAD *t;

			Zero(&c, sizeof(c));
			c.s = new_sock;
			c.k = pri;
			c.x = x;

			t = NewThread(CheckNetworkAcceptThread, &c);
			Insert(o, t);
...

SBO2 Screenshot 2025-01-08 135236

SBO3 Screenshot 2025-01-08 135255

Updated:

You may also enjoy

Cve 2025 25567

less than 1 minute read

Summary SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in Internat.c via the UniToStrForSingleChars function.

Cve 2025 25566

less than 1 minute read

Summary SoftEtherVPN 5.02.5187 is vulnerble to denial of service via the UnixMemoryAlloc function.

Cve 2025 25565

1 minute read

Summary SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in the Command.c file via the PtMakeCert and PtMakeCert2048 functions.