CVE-2025-6775 is a command injection vulnerability identified in the openvpn-cms-flask project maintained by xiaoyunjie, specifically affecting versions 1.2.0 through 1.2.7. The vulnerability resides in the create_user function within the /app/api/v1/openvpn.py file, which handles user creation requests. The flaw arises from improper sanitization or validation of the Username argument, allowing an attacker to inject arbitrary commands that the system executes. This vulnerability can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability has a CVSS 4.0 base score of 5.3, classified as medium severity, reflecting limited impact on confidentiality, integrity, and availability, and requiring low privileges (likely a low-privilege authenticated user) to exploit. The vulnerability does not require user interaction and does not affect system confidentiality or integrity severely but can lead to command execution on the host, potentially allowing attackers to escalate privileges or disrupt service. A patch addressing this issue was released in version 1.2.8, with the fix identified by commit e23559b98c8ea2957f09978c29f4e512ba789eb6. No known exploits are currently reported in the wild, but public disclosure increases the risk of exploitation. The vulnerability affects the User Creation Endpoint, a critical component in managing VPN users, which could be leveraged to compromise VPN infrastructure or pivot into internal networks if exploited successfully.

For European organizations using openvpn-cms-flask versions 1.2.0 to 1.2.7, this vulnerability poses a risk of unauthorized command execution on VPN management servers. Given that VPN infrastructure is often a critical access point for remote employees and partners, exploitation could lead to unauthorized access to internal networks, data exfiltration, or disruption of VPN services. The medium severity rating suggests that while the vulnerability requires some level of privilege, the potential for lateral movement and privilege escalation exists if attackers gain initial footholds. Organizations in sectors with high reliance on VPNs for secure remote access, such as finance, healthcare, and government, could face operational disruptions and data breaches. The fact that exploitation does not require user interaction increases the risk of automated attacks. Additionally, the public disclosure of the vulnerability may prompt threat actors to develop exploits targeting European organizations, especially those with less mature patch management processes.

European organizations should immediately assess their deployment of openvpn-cms-flask and identify any instances running affected versions (1.2.0 to 1.2.7). The primary mitigation is to upgrade all affected instances to version 1.2.8 or later, which contains the patch for this vulnerability. Until upgrades can be applied, organizations should restrict access to the User Creation Endpoint by implementing network-level controls such as IP whitelisting, VPN segmentation, or firewall rules to limit exposure to trusted administrators only. Additionally, monitoring and logging of user creation activities should be enhanced to detect anomalous commands or patterns indicative of exploitation attempts. Employing Web Application Firewalls (WAFs) with custom rules to detect and block command injection patterns in the Username parameter can provide temporary protection. Regularly auditing user privileges and enforcing the principle of least privilege for accounts that can access the vulnerable endpoint will reduce the risk. Finally, organizations should stay alert for any emerging exploit reports and update incident response plans accordingly.