OpenVPN Access Server Desktop Client vulnerable

OpenVPN developers recommend that users who use the desktop client perform an immediate update. This is due to the possibility of an attack such as CSRF, with which, attackers can gain remote access to the victim’s computer.


Austrian security researchers discovered this vulnerability back in May of this year. When using outdated software, visiting a malicious website, the user runs the risk of providing access to his PC.

OpenVPN Access Server consists of two parts:
1) A service that provides the possibility of interaction between the server and the user in the form of XML-RPC.
2) The user interface that connects to the service through the API.

The XML-RPC API is vulnerable to cross-site request forgery (CSRF). Using some API commands allows an attacker to obtain the real IP address of the victim, redirect traffic to their own servers (MITM attack), and also achieve the execution of arbitrary code with system privileges on the user's computer.
OpenVPN provides several different VPNs and security services, but only the Windows desktop client is vulnerable.

All clients using the desktop application on Windows should change it to OpenVPN Connect.

Vulnerability Video