CVE-2026-25998 identifies a cryptographic flaw in strongMan, the management interface for the open-source strongSwan IPsec VPN solution. strongMan encrypts sensitive credentials stored in its database, including private keys and EAP secrets, using AES in CTR mode with a global database key. However, the implementation reused the same initialization vector (IV) for every encrypted database field, resulting in the reuse of the same key stream across all encrypted values. This violates a fundamental cryptographic principle that key streams in stream ciphers or block ciphers in CTR mode must never be reused with the same key, as it enables attackers to perform XOR operations on ciphertexts to recover plaintexts. Since certificates, which are public information, are also encrypted with the same key stream, an attacker who gains read access to the database can recover a large portion of the key stream by comparing the ciphertext of certificates with their known plaintext. This recovered key stream then allows decryption of other encrypted secrets such as ECDSA private keys and EAP secrets, which are typically shorter and more sensitive. The vulnerability affects all strongMan versions prior to 0.2.0. The fix implemented in version 0.2.0 replaces AES-CTR with AES-GCM-SIV encryption, which provides nonce misuse resistance, and uses a random nonce for each encrypted value. Additionally, encryption keys are individually derived per value using HKDF, preventing key reuse. Database migration tools are provided to re-encrypt existing credentials securely. The vulnerability is assigned a CVSS 4.0 score of 8.7 (high severity), reflecting its network attack vector, no required privileges or user interaction, and high impact on confidentiality. No known exploits are currently reported in the wild.

The vulnerability allows an attacker with read access to the strongMan database to decrypt all stored credentials, including private keys and EAP secrets. This compromises the confidentiality of VPN credentials, potentially enabling unauthorized access to VPN tunnels and sensitive network resources. Organizations relying on strongMan for managing strongSwan VPN credentials risk exposure of critical cryptographic material, which can lead to interception, impersonation, or man-in-the-middle attacks on VPN communications. The impact is particularly severe for enterprises and service providers using strongSwan for secure remote access or site-to-site VPNs, as it undermines the trustworthiness of their VPN infrastructure. Since exploitation requires database access, the vulnerability also highlights the importance of securing backend systems and databases. The breach of private keys can have long-term consequences, including the need to revoke and reissue certificates and reconfigure VPN endpoints, causing operational disruption and increased incident response costs.

Organizations should upgrade strongMan to version 0.2.0 or later immediately to benefit from the fixed encryption scheme using AES-GCM-SIV with random nonces and per-value derived keys. They must perform the provided database migration to securely re-encrypt all stored credentials. Until the upgrade is applied, strict access controls should be enforced on the strongMan database to prevent unauthorized read access. Monitoring and auditing database access logs can help detect suspicious activity. Additionally, organizations should consider rotating all VPN credentials managed by strongMan after remediation to invalidate any potentially compromised keys. Network segmentation and encryption of database backups can further reduce exposure. Finally, reviewing and hardening the overall infrastructure security posture, including limiting administrative privileges and employing multi-factor authentication for management interfaces, will mitigate the risk of initial database compromise.