CVE-2026-25075: The 15-Year strongSwan Flaw That Can Crash Saudi Banks' VPN With One Packet

On March 23, 2026, strongSwan disclosed CVE-2026-25075 — an integer underflow in its EAP-TTLS authentication plugin that lets an unauthenticated remote attacker crash the charon IKE daemon with a single crafted packet. Every strongSwan release from version 4.5.0 onward is affected, meaning 15 years of deployments are exposed. For Saudi financial institutions that use strongSwan-based VPN gateways to connect branches, data centers, and remote employees, this is not a theoretical risk — it is an active availability threat that maps directly to SAMA CSCC and NCA ECC control domains.

What Is CVE-2026-25075 and Why Does It Matter?

strongSwan is one of the most widely deployed open-source IPsec/IKEv2 VPN implementations on Linux. It powers dedicated VPN appliances, firewall distributions, and custom-built gateways across banking, telecoms, and government sectors throughout the Middle East. The vulnerability lives in the eap-ttls plugin, which processes Attribute-Value Pairs (AVPs) tunneled inside EAP-TTLS authentication exchanges.

The root cause is deceptively simple: the length field of each AVP is read from attacker-controlled data, and the code subtracts a constant from it without first verifying the field is large enough to make that subtraction safe. When a value smaller than the constant arrives, an integer underflow occurs, producing an astronomically large computed length. The IKE daemon then attempts to allocate and process a correspondingly enormous buffer, triggering either heap corruption or a NULL pointer dereference — both of which crash the charon process and drop all active VPN tunnels immediately.

The CVSS 3.1 base score is 7.5 (High). Attack vector is Network, attack complexity is Low, no privileges are required, and no user interaction is needed. For a VPN daemon that is, by design, exposed to the public internet, those parameters describe a realistic, low-barrier attack.

Scope: 15 Years of Vulnerable Releases

The flaw was introduced in strongSwan 4.5.0 and persists in every subsequent release through 6.0.4. That range covers essentially the entire modern lifecycle of the project. Any organization running a Linux-based VPN gateway — whether on bare metal, in a VM, or inside a container — that has not yet upgraded to strongSwan 6.0.5 remains at risk. Bishop Fox published a public proof-of-concept detection script on GitHub (BishopFox/CVE-2026-25075-check), which means the barrier for attackers to scan for and identify vulnerable endpoints is now extremely low.

Organizations that use EAP-TTLS as an inner authentication method for road-warrior or branch-office VPN configurations are directly exposed. Environments that terminate EAP-TTLS on a separate RADIUS server (where the strongSwan gateway never processes the AVPs directly) are not affected — but this architecture is far less common in mid-tier deployments.

Impact on Saudi Financial Institutions

Saudi banks and finance companies routinely rely on IPsec/IKEv2 VPN tunnels to carry inter-branch traffic, connect ATM networks, link payment processing systems to data centers, and provide secure remote access to employees. A successful DoS against the VPN gateway does not exfiltrate data — but it severs the connectivity that every downstream service depends on. Branch tellers lose access to core banking. Treasury desks disconnect from dealing systems. Remote operations staff cannot reach internal applications. In SAMA CSCC terminology, an unplanned availability disruption of this nature falls under the Cyber Resilience domain and triggers mandatory incident reporting thresholds. NCA ECC Control 3-5-2 requires organizations to maintain availability of critical network infrastructure and document recovery time objectives (RTOs) — an objective that becomes immediately testable when a single unauthenticated packet knocks out your gateway.

There is a second-order concern worth flagging: the crash and restart of charon generates noisy logs and may saturate alerting queues with IKE negotiation failures. In a red-team scenario, a well-timed DoS against the VPN gateway can be used as a distraction while a separate attack vector is exploited elsewhere in the network — a technique observed increasingly in financially-motivated intrusions targeting Gulf institutions.

Recommended Actions and Patch Roadmap

1. Inventory immediately. Run ipsec version or swanctl --version on all Linux VPN gateways and identify any instance below 6.0.5. Include appliances that embed strongSwan internally — vendor firmware often lags upstream releases by months.
2. Upgrade to strongSwan 6.0.5. The fix adds a bounds check before the offending subtraction, confirming that each AVP length field is at least 8 bytes before computing the data length. The patch is minimal, well-tested, and available in official packages for all major Linux distributions including Ubuntu 24.04/22.04 LTS and RHEL 9.
3. Assess EAP-TTLS exposure. If your deployment does not use EAP-TTLS, disable the plugin entirely in strongswan.conf as a defense-in-depth measure. This eliminates the attack surface completely without any functional impact.
4. Apply network-layer mitigations while patching. Rate-limit IKE (UDP/500, UDP/4500) traffic from untrusted sources at the perimeter firewall. While this does not prevent an attacker who already has network access from triggering the bug, it reduces the exposed attack surface and buys time for a controlled patching window.
5. Run the Bishop Fox detection script. The public CVE-2026-25075-check tool provides a safe, non-destructive way to confirm whether a given endpoint is vulnerable. Run it against your gateway inventory before and after patching to verify remediation.
6. Document the incident response playbook. Ensure your NOC and SOC have a runbook for a VPN gateway crash: which backup tunnels activate, how branch connectivity fails over, and what the SAMA-mandated reporting timeline is if availability is impacted for more than a defined threshold.

Conclusion

CVE-2026-25075 is a reminder that foundational network infrastructure carries hidden debt. A missing bounds check introduced over 15 years ago now translates directly into an unauthenticated, remote, zero-complexity denial-of-service against one of the most business-critical components in any financial institution's network stack. The patch exists, it is straightforward to apply, and the public availability of a detection tool means adversaries are already scanning. For Saudi banks operating under SAMA CSCC and NCA ECC obligations, patching this vulnerability is not optional — it is an availability and resilience control requirement. The question is not whether to patch, but whether you will do it before an attacker forces the issue.

Is your VPN infrastructure patched and resilient? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a network security review tailored to the Saudi financial sector.