Encryption Vulnerability in strongMan Management Interface for strongSwan

CVE-2026-25998

What is CVE-2026-25998?

The strongMan management interface for strongSwan has a significant security concern related to its encryption methodology. It previously employed AES in CTR mode with a single global database key for encrypting sensitive information, including private keys and EAP secrets. This design flaw led to the same key stream being reused across different database fields, allowing an attacker with database access to potentially recover encrypted credentials. Particularly concerning is the fact that even public certificates were subjected to the same vulnerability, thus enabling the retrieval of a larger segment of the key stream. This could facilitate the decryption of other secrets—including ECDSA private keys and EAP secrets—which are typically shorter and easier to crack. A fix was introduced in version 0.2.0 where AES-GCM-SIV encryption is employed, utilizing a unique nonce and independently derived encryption keys to enhance security and protect sensitive data more effectively.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References