OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • openvpn
  • vpn
  • ace
  • windows
  • exploitarium

news

OpenVPN Connect Echo Script ACE + PAC Push

Malicious server push decodes script.win.user.disconnect via echo option — runs on disconnect despite scriptsPermissionGranted=false.

Summary

Malicious server push decodes script.win.user.disconnect via echo option — runs on disconnect despite scriptsPermissionGranted=false. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetOpenVPN Connect for Windows (tested builds per PoC)
Primitivepush echo base64 script.win.user.disconnect + PROXY_AUTO_CONFIG_URL
ImpactCurrent-user ACE on disconnect; transient PAC AutoConfigURL via dhcp-option push.

Attack Chain

Import profile → connect → server push → disconnect executes command / applies PAC

Mitigation

Only import VPN profiles from trusted sources; block script pushes at MDM; monitor HKCU AutoConfigURL during VPN.

Related Signals

Sources

→ Source