VDE-2025-042
Vulnerability from csaf_lenzese - Published: 2025-05-27 09:00 - Updated: 2025-05-27 09:00Summary
Lenze: VPN Client Privilege Escalation in combination with Lenze x500 IoT Gateway
Severity
High
Notes
Summary: The Lenze VPN client is vulnerable to a Local Privilege Escalation to root/SYSTEM by executing a configuration file which can be controlled by a non-privileged user. This occurs through a race condition exploit, where an attacker can overwrite the temporary OpenVPN configuration file located in a world-writable directory. By injecting malicious commands into the configuration file prior to its execution by the VPN client, an attacker can trigger arbitrary code execution with root/system privileges when a VPN connection is initiated. The vulnerability has been remediated in the version 1.4.4 of the Lenze VPN client.
Due to some further developments and completion of the functional scope, it is recommended to update the firmware of the x500 IoT Gateway devices immediately, regardless of the current security vulnerability in the VPN client.
General Recommendations: The cyber security documentation currently describes some of the implemented functions and is thus intended to provide clarity in the functions described here.
Disclamer: Lenze SE assumes no liability whatsoever for any kind of losses or consequential losses that occur by the distribution and/or use of this document . All information published in this document is provided on good faith by Lenze SE. Insofar as permissible by law, however, none of this information shall establish any guarantee, commitment or liability on the part of Lenze SE. Lenze SE reserves the right to change or update this document at any time.
Impact: This vulnerability allows local non-privileged users to escalate their privileges to root or SYSTEM by exploiting a race condition in the Lenze VPN Client. Successful exploitation could lead to full system compromise, enabling attackers to execute arbitrary code with elevated privileges.
Remediation: Obtain the updated VPN software (version >= 1.4.4) from https://cloud.lenze.digital/fleet-manager/tools and run the installer on a windows and macOS system or run the following
commands in an linux system:
tar -xzf vpn_client_x64.tar.gz
cd vpn_client_x64
sudo ./install
8.1 (High)
Vendor Fix
Obtain the updated VPN software (version >= 1.4.4) from https://cloud.lenze.digital/fleet-manager/tools and run the installer on a windows and macOS system or run the following
commands in an linux system:
tar -xzf vpn_client_x64.tar.gz
cd vpn_client_x64
sudo ./install
IXON VPN Client before 1.4.4 on Windows allows Local Privilege Escalation to SYSTEM because there is code execution from a configuration file that can be controlled by a low-privileged user. There is a race condition in which a temporary configuration file, in a world-writable directory, can be overwritten.
8.1 (High)
Vendor Fix
Obtain the updated VPN software (version >= 1.4.4) from https://cloud.lenze.digital/fleet-manager/tools and run the installer on a windows and macOS system or run the following
commands in an linux system:
tar -xzf vpn_client_x64.tar.gz
cd vpn_client_x64
sudo ./install
References
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/calculator/3.1",
"text": "High"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "The Lenze VPN client is vulnerable to a Local Privilege Escalation to root/SYSTEM by executing a configuration file which can be controlled by a non-privileged user. This occurs through a race condition exploit, where an attacker can overwrite the temporary OpenVPN configuration file located in a world-writable directory. By injecting malicious commands into the configuration file prior to its execution by the VPN client, an attacker can trigger arbitrary code execution with root/system privileges when a VPN connection is initiated. The vulnerability has been remediated in the version 1.4.4 of the Lenze VPN client.\nDue to some further developments and completion of the functional scope, it is recommended to update the firmware of the x500 IoT Gateway devices immediately, regardless of the current security vulnerability in the VPN client.",
"title": "Summary"
},
{
"category": "general",
"text": "The cyber security documentation currently describes some of the implemented functions and is thus intended to provide clarity in the functions described here.",
"title": "General Recommendations"
},
{
"category": "legal_disclaimer",
"text": "Lenze SE assumes no liability whatsoever for any kind of losses or consequential losses that occur by the distribution and/or use of this document . All information published in this document is provided on good faith by Lenze SE. Insofar as permissible by law, however, none of this information shall establish any guarantee, commitment or liability on the part of Lenze SE. Lenze SE reserves the right to change or update this document at any time.",
"title": "Disclamer"
},
{
"category": "description",
"text": "This vulnerability allows local non-privileged users to escalate their privileges to root or SYSTEM by exploiting a race condition in the Lenze VPN Client. Successful exploitation could lead to full system compromise, enabling attackers to execute arbitrary code with elevated privileges.",
"title": "Impact"
},
{
"category": "description",
"text": "Obtain the updated VPN software (version \u003e= 1.4.4) from https://cloud.lenze.digital/fleet-manager/tools and run the installer on a windows and macOS system or run the following\ncommands in an linux system: \ntar -xzf vpn_client_x64.tar.gz \ncd vpn_client_x64 \nsudo ./install",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@lenze.com",
"name": "Lenze SE",
"namespace": "https://www.lenze.com"
},
"references": [
{
"category": "external",
"summary": "Lenze SE Product Security Incident Response Team (PSIRT)",
"url": "https://www.lenze.com/en-de/services/cyber-security"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Lenze",
"url": "https://certvde.com/en/advisories/vendor/lenze/"
},
{
"category": "self",
"summary": "VDE-2025-042: Lenze: VPN Client Privilege Escalation in combination with Lenze x500 IoT Gateway - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-042/"
},
{
"category": "self",
"summary": "VDE-2025-042: Lenze: VPN Client Privilege Escalation in combination with Lenze x500 IoT Gateway - CSAF",
"url": "https://lenze.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-042.json"
}
],
"title": "Lenze: VPN Client Privilege Escalation in combination with Lenze x500 IoT Gateway",
"tracking": {
"aliases": [
"VDE-2025-042"
],
"current_release_date": "2025-05-27T09:00:00.000Z",
"generator": {
"date": "2025-05-23T08:15:39.225Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.25"
}
},
"id": "VDE-2025-042",
"initial_release_date": "2025-05-27T09:00:00.000Z",
"revision_history": [
{
"date": "2025-05-27T09:00:00.000Z",
"number": "1",
"summary": "Initial version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "x510",
"product": {
"name": "x510",
"product_id": "CSAFPID-11001"
}
},
{
"category": "product_name",
"name": "x520",
"product": {
"name": "x520",
"product_id": "CSAFPID-11002"
}
},
{
"category": "product_name",
"name": "x530",
"product": {
"name": "x530",
"product_id": "CSAFPID-11003"
}
},
{
"category": "product_name",
"name": "x540",
"product": {
"name": "x540",
"product_id": "CSAFPID-11004"
}
}
],
"category": "product_family",
"name": "x500"
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Firmware x510 vers:all/*",
"product_id": "CSAFPID-21001"
}
}
],
"category": "product_name",
"name": "x510"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Firmware x520 vers:all/*",
"product_id": "CSAFPID-21002"
}
}
],
"category": "product_name",
"name": "x520"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Firmware x530 vers:all/*",
"product_id": "CSAFPID-21003"
}
}
],
"category": "product_name",
"name": "x530"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Firmware x540 vers:all/*",
"product_id": "CSAFPID-21004"
}
}
],
"category": "product_name",
"name": "x540"
}
],
"category": "product_family",
"name": "Firmware"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c1.4.4",
"product": {
"name": "Lenze VPN Client \u003c1.4.4",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "1.4.4",
"product": {
"name": "Lenze VPN Client 1.4.4",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_name",
"name": "Lenze VPN Client"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Lenze"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31002",
"CSAFPID-31004",
"CSAFPID-31006",
"CSAFPID-31008"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware x510 vers:all/* installed on x510",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Lenze VPN Client \u003c1.4.4 external component of Firmware x510 vers:all/* installed on x510",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-51001",
"relates_to_product_reference": "CSAFPID-31001"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Lenze VPN Client 1.4.4 external component of Firmware x510 vers:all/* installed on x510",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-31001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware x520 vers:all/* installed on x520",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Lenze VPN Client \u003c1.4.4 external component of Firmware x520 vers:all/* installed on x520",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-51001",
"relates_to_product_reference": "CSAFPID-31003"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Lenze VPN Client 1.4.4 external component of Firmware x520 vers:all/* installed on x520",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-31003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware x530 vers:all/* installed on x530",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21003",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Lenze VPN Client \u003c1.4.4 external component of Firmware x530 vers:all/* installed on x530",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-51001",
"relates_to_product_reference": "CSAFPID-31005"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Lenze VPN Client 1.4.4 external component of Firmware x530 vers:all/* installed on x530",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-31005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware x540 vers:all/* installed on x540",
"product_id": "CSAFPID-31007"
},
"product_reference": "CSAFPID-21004",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Lenze VPN Client \u003c1.4.4 external component of Firmware x540 vers:all/* installed on x540",
"product_id": "CSAFPID-31008"
},
"product_reference": "CSAFPID-51001",
"relates_to_product_reference": "CSAFPID-31007"
},
{
"category": "external_component_of",
"full_product_name": {
"name": "Lenze VPN Client 1.4.4 external component of Firmware x540 vers:all/* installed on x540",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-52001",
"relates_to_product_reference": "CSAFPID-31007"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-26168",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "summary",
"text": "IXON VPN Client before 1.4.4 on Linux and macOS allows Local Privilege Escalation to root because there is code execution from a configuration file that can be controlled by a low-privileged user. There is a race condition in which a temporary configuration file, in a world-writable directory, can be overwritten.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004"
],
"known_affected": [
"CSAFPID-31002",
"CSAFPID-31004",
"CSAFPID-31006",
"CSAFPID-31008"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Obtain the updated VPN software (version \u003e= 1.4.4) from https://cloud.lenze.digital/fleet-manager/tools and run the installer on a windows and macOS system or run the following\ncommands in an linux system: \ntar -xzf vpn_client_x64.tar.gz \ncd vpn_client_x64 \nsudo ./install",
"product_ids": [
"CSAFPID-31002",
"CSAFPID-31004",
"CSAFPID-31006",
"CSAFPID-31008"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31002",
"CSAFPID-31004",
"CSAFPID-31006",
"CSAFPID-31008"
]
}
],
"title": "CVE-2025-26168"
},
{
"cve": "CVE-2025-26169",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "description",
"text": "IXON VPN Client before 1.4.4 on Windows allows Local Privilege Escalation to SYSTEM because there is code execution from a configuration file that can be controlled by a low-privileged user. There is a race condition in which a temporary configuration file, in a world-writable directory, can be overwritten.",
"title": "Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004"
],
"known_affected": [
"CSAFPID-31002",
"CSAFPID-31004",
"CSAFPID-31006",
"CSAFPID-31008"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Obtain the updated VPN software (version \u003e= 1.4.4) from https://cloud.lenze.digital/fleet-manager/tools and run the installer on a windows and macOS system or run the following\ncommands in an linux system: \ntar -xzf vpn_client_x64.tar.gz \ncd vpn_client_x64 \nsudo ./install",
"product_ids": [
"CSAFPID-31002",
"CSAFPID-31004",
"CSAFPID-31006",
"CSAFPID-31008"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31002",
"CSAFPID-31004",
"CSAFPID-31006",
"CSAFPID-31008"
]
}
],
"title": "CVE-2025-26169"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…