CVE-2026-39312 - Vulnerability Details

- Pre-Auth EAP-TLS DoS on SoftEther VPN Developer Edition

Description

SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2.5188 (and likely earlier versions of Developer Edition). An unauthenticated remote attacker can crash the vpnserver process by sending a single malformed EAP-TLS packet over raw L2TP (UDP/1701), terminating all active VPN sessions.

Published: 2026-04-07

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from a flaw in the handling of EAP‑TLS packets in SoftEther VPN Developer Edition 5.2.5188 and earlier. A single malformed EAP‑TLS packet received over the L2TP protocol can trigger a crash of the vpnserver process, immediately terminating all active VPN sessions. The defect is a resource denial weakness, under CWE‑789, and results in a denial‑of‑service condition that disrupts connectivity for all users connected to the affected server.

Affected Systems

Affected products are SoftEtherVPN Server, specifically the Developer Edition version 5.2.5188 and earlier releases. The issue affects deployments that enable L2TP over UDP on port 1701 and do not restrict unauthenticated EAP‑TLS traffic. No other SoftEther product versions or branches are listed as impacted.

Risk and Exploitability

The CVSS v3.1 score of 7.5 indicates a high severity risk, while the EPSS score of less than 1% suggests a low likelihood of current exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying it may not yet have been observed in widespread attacks. An attacker can reach the target remotely from any network that can reach port 1701; no local access or elevated privileges are required. Successful exploitation would cause an abrupt service halt, impacting availability for all client connections.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SoftEtherVPN

affected

Version	Status	Constraints
`<= 5.2.5188`	affected	—

Configuration 1 [-]

cpe:2.3:a:softether:softethervpn:*:*:*:*:developer:*:*:*

No data.

Vendor Product Confidence Versions

Softethervpn

100%

Version	Status	Scheme	Platform
`[0,5.2.5188]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to SoftEtherVPN Developer Edition 5.2.5189 or later
If an upgrade is not immediately possible, disable or block L2TP (UDP/1701) traffic to the vpnserver until a patch is applied
Verify that no active VPN clients are connected before applying updates to prevent sudden disconnections

Generated by OpenCVE AI on April 14, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00287.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-q5g3-qhc6-pr3h

History

Tue, 14 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Softether Softether softethervpn
CPEs		cpe:2.3:a:softether:softethervpn:::::developer:::*
Vendors & Products		Softether Softether softethervpn

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Softethervpn Softethervpn softethervpn
Vendors & Products		Softethervpn Softethervpn softethervpn

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2.5188 (and likely earlier versions of Developer Edition). An unauthenticated remote attacker can crash the vpnserver process by sending a single malformed EAP-TLS packet over raw L2TP (UDP/1701), terminating all active VPN sessions.
Title		Pre-Auth EAP-TLS DoS on SoftEther VPN Developer Edition
Weaknesses		CWE-789
References		https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/GHSA-q5g3-qhc6-pr3h
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Softether Softethervpn

Softethervpn Softethervpn

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T16:52:08.172Z

Updated: 2026-04-07T17:27:16.498Z

Reserved: 2026-04-06T19:31:07.265Z

Link: CVE-2026-39312

Vulnrichment

Updated: 2026-04-07T17:27:08.391Z

NVD

Status : Analyzed

Published: 2026-04-07T17:16:36.920

Modified: 2026-04-14T20:08:38.900

Link: CVE-2026-39312

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses

CWE-789

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object