CVE-2025-3908: 
Linux Debian vulnerability analysis and mitigation

The vulnerability (CVE-2025-3908) affects the configuration initialization tool in OpenVPN 3 Linux versions v20 through v24. The security issue was discovered and initially disclosed on May 19, 2025. The vulnerability specifically impacts the 'openvpn3-admin init-config' command, which was introduced in OpenVPN 3 Linux v20 and must be run as root (OpenVPN Security, OSS Security).

The vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access), also known as 'Link Following'. It has received a CVSS v3.1 Base Score of 6.2 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that local access is required but no privileges or user interaction are needed (Wiz, NVD).

The vulnerability allows a local attacker to use symlinks pointing at an arbitrary directory, which results in unauthorized changes to the ownership and permissions of that destination directory. The tool will follow symlinks when changing ownership and permissions on two of the directories that the OpenVPN 3 Linux D-Bus services depend on (Wiz, OSS Security).

The vulnerability has been resolved in OpenVPN 3 Linux v24.1, released on May 19, 2025. Users are advised to upgrade to a version newer than OpenVPN 3 Linux v24 (OSS Security, Wiz).

The vulnerability was discovered and reported by Wolfgang Frisch from the SUSE Security team, demonstrating effective collaboration between security researchers and the OpenVPN development team (OSS Security).