CRZ-005
OpenVPN-AS version fingerprint
info
CVSS 3.1: — · Asset: vpn.corezoid.com
- Severity: Informational (pending version determination)
- CVSS 3.1: pending
- CWE: CWE-1104 (Use of Unmaintained Third-Party Components) if version is outdated
- Asset:
https://vpn.corezoid.com→34.250.252.21 - Discovered: 2026-04-26
- Status: Open — need to determine exact version before CVE matching
Summary
vpn.corezoid.com is identified as OpenVPN Access
Server via Server: OpenVPN-AS response header.
OpenVPN AS has had several critical CVEs:
- CVE-2024-5594 (high, 2024-06) — injection via control channel messages
- CVE-2023-46850 (critical, 2023-11) — use-after-free, memory disclosure
- CVE-2023-46849 (high, 2023-11) — divide-by-zero DoS
Per the engagement RoE, VPN endpoint is fingerprint-only — no auth brute-forcing, no exploitation. Version disclosure is the only data point collected.
Reproduction
$ curl -skI https://vpn.corezoid.com/ | grep -i server
Server: OpenVPN-ASThe landing page responds with 403 Forbidden (auth required), which is correct behavior. No version string is directly disclosed in the header.
Additional probing needed (fingerprint-only)
GET /__debug__/version— if debug endpoint presentGET /robots.txt— sometimes reveals admin paths- TLS JA3 fingerprint can narrow down AS version
- The login page HTML often contains version comments
Impact
Unknown until version is determined. If version is < 2.13.0, the server is vulnerable to CVE-2023-46850 (memory disclosure, potentially credential leakage).
Remediation
- Keep OpenVPN-AS patched to the latest release.
- Consider hiding the
Server:header at the upstream reverse proxy if one is in front. - Require client certs in addition to passwords (mutual TLS) for the portal.