Remote Heap Buffer Overflow in strongSwan 5.9.13 libsimaka Plugin Exposes VPN Services to Pre‑Auth Crash
What Happened — A heap‑buffer overflow exists in the libsimaka component of strongSwan ≤ 5.9.13 (CVE‑2026‑35330). The flaw is triggered by a malformed EAP‑SIM/AKA payload sent during the IKE_AUTH exchange, causing an out‑of‑bounds write that leads to a SIGSEGV or, in the worst case, remote code execution before any peer authentication completes.
Why It Matters for TPRM —
- The vulnerability is remote, network‑visible, and can be weaponised without credentials.
- strongSwan is widely deployed for site‑to‑site and remote‑access VPNs, making many third‑party services susceptible.
- A successful exploit can disrupt secure communications, expose internal network topology, and potentially allow an attacker to pivot to downstream systems.
Who Is Affected — Telecommunications, cloud‑infrastructure providers, managed‑service providers, and any enterprise that relies on strongSwan for IPsec/VPN connectivity (e.g., FIN_SERV, TECH_SAAS, TELCO).
Recommended Actions
- Verify whether any third‑party vendors or internal services run strongSwan ≤ 5.9.13 with the
eap‑simoreap‑akaplugins enabled. - Apply the upstream patch (commit aa5aaebc33) or upgrade to a version newer than 5.9.13.
- Conduct penetration testing of VPN endpoints to confirm the fix and monitor for anomalous IKE traffic.
Technical Notes — Attack vector: remote network packet (VULNERABILITY_EXPLOIT). CVE‑2026‑35330. No data exfiltration is described; the primary impact is service disruption and potential code execution. Source: Exploit Database – EDB‑52587