CVE-2023-36672

CVE-2023-36672 is a medium-severity vulnerability in Clario Vpn with a CVSS 3.x base score of 5.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-319.

Key facts

Description

An issue was discovered in the Clario VPN client through 5.9.1.1662 for macOS. The VPN client insecurely configures the operating system such that traffic to the local network is sent in plaintext outside the VPN tunnel even if the local network is using a non-RFC1918 IP subnet. This allows an adversary to trick the victim into sending arbitrary IP traffic in plaintext outside the VPN tunnel. NOTE: the tunnelcrack.mathyvanhoef.com website uses this CVE ID to refer more generally to "LocalNet attack resulting in leakage of traffic in plaintext" rather than to only Clario.

Frequently asked questions

What is CVE-2023-36672?
An issue was discovered in the Clario VPN client through 5.9.1.1662 for macOS. The VPN client insecurely configures the operating system such that traffic to the local network is sent in plaintext outside the VPN tunnel even if the local network is using a non-RFC1918 IP subnet. This allows an adversary to trick the victim into sending arbitrary IP traffic in plaintext outside the VPN tunnel. NOTE: the tunnelcrack.mathyvanhoef.com website uses this CVE ID to refer more generally to "LocalNet attack resulting in leakage of traffic in plaintext" rather than to only Clario.
How severe is CVE-2023-36672?
CVE-2023-36672 has a CVSS 3.x base score of 5.7, rated medium severity. It is exploitable over an adjacent network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2023-36672 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (48th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2023-36672?
CVE-2023-36672 affects Clario Vpn. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2023-36672?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2023-36672 published?
CVE-2023-36672 was published on 2023-08-09 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Clario Vpn

All CVEs affecting Clario Vpn →

Other CWE-319 (Cleartext Transmission of Sensitive Information) vulnerabilities

Browse all CWE-319 (Cleartext Transmission of Sensitive Information) vulnerabilities →