cvedb.io
CVE-2026-25998
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-02-19T17:24:50.127 · Last modified 2026-06-17T10:25:34.217

Summary

strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key. Together with an initialization vector (IV), a key stream is generated to encrypt the data in the database fields. But because strongMan did not generate individual IVs, every database field was encrypted using the same key stream. An attacker that has access to the database can use this to recover the encrypted credentials. In particular, because certificates, which have to be considered public information, are also encrypted using the same mechanism, an attacker can directly recover a large chunk of the key stream, which allow

Affected products

strongswan — strongman

Does this affect you?

Add your gear to cvedb and we'll alert you only when strongswan ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.