CVE-2014-9104

Name of the Vulnerable Software and Affected Versions OpenVPN Access Server versions 1.5.6 and earlier

Description The issue affects the XML-RPC API in the Desktop Client, allowing remote attackers to hijack administrator authentication. This can lead to various malicious actions, including disconnecting established VPN sessions, connecting to arbitrary VPN servers, creating VPN profiles, and executing arbitrary commands, all via crafted API requests.

Recommendations For OpenVPN Access Server versions 1.5.6 and earlier, update to a version later than 1.5.6 to resolve the issue. As a temporary workaround, consider restricting access to the XML-RPC API to minimize the risk of exploitation. Avoid using the API for critical operations until the issue is resolved.