OpenBSD PPP PAP Flaw Allowed Authentication Bypass Across All Releases
OpenBSD fixed a high-severity authentication bypass in its PPP stack after researchers disclosed that the bug had existed since the original sppp code import from FreeBSD in 1999. The flaw affects sppp_pap_input() and all OpenBSD releases through 7.6 when the system is configured as a PAP authenticator on the PPPoE data path. By trusting attacker-controlled name_len and passwd_len values in bcmp() comparisons, the code could accept zero-length credentials as valid because a zero-length bcmp() returns success, allowing remote attackers to authenticate without legitimate credentials.
The disclosure also described a secondary kernel heap over-read caused when a supplied username length exceeds the allocated size of the stored credential, a condition introduced after credential fields became dynamically allocated in 2009. Researchers said the bug could let an attacker intercept or read PPPoE traffic and could also allow a rogue PPPoE server to impersonate a legitimate server during mutual authentication. OpenBSD committed a fix to -current on 2026-06-14, and a proof of concept reportedly showed successful PAP authentication with empty credentials followed by establishment of a full network-layer link.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
OpenBSD commits fix for PAP authentication bypass
OpenBSD committed a fix to -current for the high-severity sppp_pap_input() authentication bypass on 2026-06-14. The flaw affected all versions through 7.6 and allowed zero-length credentials to authenticate successfully due to attacker-controlled length values being used in bcmp() comparisons.
Vulnerability disclosure details PAP bypass and PoC
The vulnerability was publicly disclosed with technical details describing the PAP null-auth weakness, affected OpenBSD versions, PPPoE reachability, and a Python proof of concept that successfully authenticated with empty credentials and established a network-layer link.
2009 change enables secondary kernel heap over-read
A 2009 change that moved credential fields to dynamic allocation enabled a secondary kernel heap over-read condition in the same code path when a supplied PAP name length exceeded the allocated stored credential size.
OpenBSD imports vulnerable sppp code from FreeBSD
The vulnerable comparison pattern in OpenBSD's PPP stack originated when sppp code was imported from FreeBSD in July 1999, introducing the PAP authentication bypass condition.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
OpenBSD Authentication Bypass: PoC Exploit Disclosed
securityonline.info
Open source27-Year-Old OpenBSD Vulnerability Allows Attackers to Bypass PAP Authentication Entirely
cybersecuritynews.com
Open sourceA 27-Year-Old Authentication Bypass in OpenBSD's PPP Stack · Argus Blog
blog.argus-systems.ai
Open source27 Years in the Dark: OpenBSD Fixes Ancient Remote Kernel Auth Bypass : r/netsec
reddit.com
Open sourcesppp_pap_input(): do not compare credentials if the lengths of received · openbsd/src@076e2b1 · GitHub
github.com
Open sourceoss-sec: OpenBSD sppp_pap_input: PAP authentication bypass
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenBSD MPLS Packet Flaw Leaks Kernel Stack Memory Remotely
OpenBSD disclosed **CVE-2026-56099**, a medium-severity flaw in the MPLS subsystem that can expose kernel stack memory to a remote attacker when MPLS is enabled on an interface. The bug is in `mpls_do_error()` in `sys/netmpls/mpls_input.c`, where a crafted MPLS packet with **16 labels** and no **Bottom-of-Stack** bit causes the kernel to copy **17 shim headers** from a **16-entry** local stack array, leaking **4 bytes** of adjacent kernel stack data in an ICMP/MPLS error response. The issue affects OpenBSD `-current` before the fix and traces back to code introduced in 2010 in the ICMP/MPLS error-handling path. Exploitation requires an attacker to send an MPLS frame with EtherType `0x8847`, an outer label TTL of `1`, and an IPv4 inner payload; researchers at **Argus Systems** reported the vulnerability, and OpenBSD corrected it by rejecting label stacks that reach the maximum depth without a BoS bit.
Jun 19, 2026
FreeBSD RPCSEC_GSS Stack Overflow Enables Unauthenticated Remote Code Execution
FreeBSD disclosed **CVE-2026-4747** in advisory **`FreeBSD-SA-26:08.rpcsec_gss`**, warning that improper bounds checking in RPCSEC_GSS packet-signature validation can copy attacker-controlled data into a fixed stack buffer and trigger a stack overflow. The bug affects all supported FreeBSD versions and can be exploited by an unauthenticated client. In the kernel, exploitation is possible when **`kgssapi.ko`** is loaded and the system is running an NFS server with RPCSEC_GSS enabled; in userspace, RPC servers linked against **`librpcsec_gss`** are also exposed, although FreeBSD said it was not aware of vulnerable base-system applications in that category. Independent technical write-ups tied the flaw to **`svc_rpc_gss_validate`** in the RPC/NFS path, describing how a crafted **RPCSEC_GSS** credential length can overflow a 128-byte stack buffer and potentially corrupt saved control data, leading to denial of service or kernel-mode remote code execution. The reports said the issue is reachable over the network, commonly via NFS on **TCP port 2049**, and could result in full system compromise if exploited successfully. FreeBSD released patches for supported stable and release branches and said there is no practical workaround beyond avoiding deployments where **`kgssapi.ko`** is loaded.
May 25, 2026
Critical FreePBX Vulnerabilities Allow Authentication Bypass and Remote Code Execution
FreePBX, the open-source IP PBX platform, has patched several critical vulnerabilities in its Endpoint Manager module that could allow attackers to bypass authentication and achieve remote code execution. Researchers from Horizon3.ai identified three high-severity flaws: CVE-2025-66039 (authentication bypass via forged Basic Auth headers when 'webserver' authorization is enabled), CVE-2025-61675 (multiple SQL injection vulnerabilities across several endpoints), and CVE-2025-61678 (arbitrary file upload enabling PHP webshell deployment). These vulnerabilities, when chained, allow unauthenticated attackers to gain full control over affected FreePBX instances, posing a significant risk to business communications infrastructure. The authentication bypass is not present in the default configuration but becomes exploitable if certain advanced settings are enabled. Attackers can exploit these flaws to access protected endpoints, manipulate the underlying SQL database, and upload malicious files for command execution. The vulnerabilities were responsibly disclosed to FreePBX maintainers, and patches have been released. Organizations using FreePBX, especially those with non-default authentication settings, are urged to update immediately to mitigate the risk of compromise.
Mar 21, 2026