For over fifteen years, a dangerous flaw has been hiding inside strongSwan, one of the most widely used open-source VPN platforms in the enterprise world.
Security researchers at Bishop Fox recently pulled it into the open, and what they found is alarming, a single malformed packet could allow an attacker to knock an entire company’s secure network completely offline.
The vulnerability, tracked as CVE-2026-25075, affects nearly every version of strongSwan between 4.5.0 and 6.0.4. StrongSwan published its official advisory on March 23, 2026, after Bishop Fox shared its findings directly. The flaw lives inside the software’s EAP-TTLS plugin and stems from a simple but catastrophic math error.
Bishop Fox exposes how one math error brings down an entire VPN
The bug is an integer underflow. StrongSwan calculates how much memory to reserve for incoming data by subtracting the size of the message header from the total message size.
The software expects an 8-byte header at all times. When an attacker sends a message of just 1 byte, the server still tries to subtract 8 from 1.
Computer logic does not produce a negative number here, it wraps around and spits out an astronomically large positive value instead.
That single miscalculation then forces malloc, the system call responsible for reserving memory, to attempt to allocate roughly 18 exabytes of space.
No server on earth carries that capacity. Memory corruption is the guaranteed result that sets the entire stage for a full system collapse.
The crash arrives late and that is the real danger
What makes this flaw especially dangerous is its delayed impact. Researchers noted that “the actual crash happens later following a second connection attempt,” rather than at the point of the initial attack.
This delayed crash characteristic is particularly troubling given that VPN flaws have become the primary entry point for ransomware groups, attackers could exploit this bug to create a backdoor or crash the VPN at a strategically chosen moment, potentially covering their tracks while they deploy ransomware across the network.
The assault unfolds across two distinct phases. The first malicious packet enters the server and quietly corrupts its heap, the memory region where the VPN manages all active data.
The server keeps running. Nothing looks wrong. Then the next legitimate user who tries to connect unknowingly triggers the collapse of the charon daemon, the core engine that keeps the VPN alive and functional.
That innocent user effectively takes the blame, at least on first inspection, while the real attacker has long since disappeared.
This deliberate delay is what makes the attack particularly brutal for IT teams to investigate. By the time the VPN goes down, the original bad packet gets buried deep in logs, and all signs point to a completely innocent connection as the cause. The attacker leaves almost no visible trail behind.
Administrators need to act on this immediately
Three conditions must align for this attack to succeed. The server must run a vulnerable version, have the EAP-TTLS plugin actively enabled, and accept IKEv2 connections. Organizations that meet all three criteria carry serious and immediate exposure.
StrongSwan has made the fix available in version 6.0.5, and administrators should treat upgrading as a top priority. Bishop Fox has also developed a proof-of-concept testing tool that reproduces the integer underflow without actually triggering the crash itself, giving security teams a safe way to confirm whether their systems are at risk before applying the patch.
For organizations that do not rely on the EAP-TTLS plugin at all, disabling it entirely removes the attack surface without requiring any additional changes. Security experts strongly recommend that administrators turn the plugin off if it is not actively in use across their infrastructure.
A 15-year-old flaw surviving this long inside widely deployed enterprise infrastructure is a sobering reminder for the entire industry. Attackers rarely need sophisticated, cutting-edge exploits; sometimes a quiet arithmetic error, left unchecked for over a decade, is more than enough to bring critical systems to their knees.
