Description
strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key. Together with an initialization vector (IV), a key stream is generated to encrypt the data in the database fields. But because strongMan did not generate individual IVs, every database field was encrypted using the same key stream. An attacker that has access to the database can use this to recover the encrypted credentials. In particular, because certificates, which have to be considered public information, are also encrypted using the same mechanism, an attacker can directly recover a large chunk of the key stream, which allows them to decrypt basically all other secrets especially ECDSA private keys and EAP secrets, which are usually a lot shorter. Version 0.2.0 fixes the issue by switching to AES-GCM-SIV encryption with a random nonce and an individually derived encryption key, using HKDF, for each encrypted value. Database migrations are provided to automatically re-encrypt all credentials.
Published: 2026-02-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to private credentials
Action: Immediate Patch
AI Analysis

Impact

strongMan encrypts sensitive database fields using AES‑CTR with a single global key and no per‑record IV, causing the same keystream to be reused across all entries. Because the certificates, which are public, are also encrypted in this manner, a database reader can recover a large portion of the keystream and decrypt any other credential stored in the database, including ECDSA private keys and EAP secrets. The result is that an attacker who can read the database can obtain all private keys used by the VPN.

Affected Systems

The vulnerability affects the strongswan:strongMan 0.1.0 release and earlier. The affected product is the management interface for strongSwan; all database fields are encrypted using the flawed scheme. The 0.2.0 version resolves the issue by switching to AES‑GCM‑SIV with per‑record random nonces and unique keys derived by HKDF.

Risk and Exploitability

The CVSS base score of 8.7 indicates a high severity risk. The EPSS score is below 1 %, so the likelihood of widespread exploitation remains low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, if an attacker can read the database, credential compromise is almost guaranteed, making this flaw a high‑priority security problem. The primary attack vector is local or remote access to the database; no network exposure is required beyond database egress.

Generated by OpenCVE AI on April 17, 2026 at 18:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade strongMan to version 0.2.0 or later and run the provided migration scripts to re‑encrypt all credentials.
  • Limit access to the database to only necessary trusted services and users; monitor for anomalous read activity.
  • Create a secure backup of the current database before performing the migration to ensure recovery if anything goes wrong.

Generated by OpenCVE AI on April 17, 2026 at 18:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:strongswan:strongman:0.1.0:*:*:*:*:python:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Strongswan
Strongswan strongman
Vendors & Products Strongswan
Strongswan strongman

Thu, 19 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key. Together with an initialization vector (IV), a key stream is generated to encrypt the data in the database fields. But because strongMan did not generate individual IVs, every database field was encrypted using the same key stream. An attacker that has access to the database can use this to recover the encrypted credentials. In particular, because certificates, which have to be considered public information, are also encrypted using the same mechanism, an attacker can directly recover a large chunk of the key stream, which allows them to decrypt basically all other secrets especially ECDSA private keys and EAP secrets, which are usually a lot shorter. Version 0.2.0 fixes the issue by switching to AES-GCM-SIV encryption with a random nonce and an individually derived encryption key, using HKDF, for each encrypted value. Database migrations are provided to automatically re-encrypt all credentials.
Title strongMan vulnerable to private credential recovery due to key and counter reuse
Weaknesses CWE-1204
CWE-323
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Strongswan Strongman
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:42:52.654Z

Reserved: 2026-02-09T17:41:55.859Z

Link: CVE-2026-25998

cve-icon Vulnrichment

Updated: 2026-02-20T15:32:23.720Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T17:24:50.127

Modified: 2026-02-23T19:36:48.017

Link: CVE-2026-25998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:15:26Z

Weaknesses