High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

Posted on By CWS

OpenSSL updates launched on Tuesday patch a dozen vulnerabilities, together with a high-severity distant code execution flaw.

All 12 vulnerabilities patched within the open supply SSL/TLS toolkit had been found by cybersecurity agency Aisle, which used an autonomous analyzer to determine the safety holes.

The high-severity concern is tracked as CVE-2025-15467 and it has been described as a stack buffer overflow that would result in a crash (DoS situation) or distant code execution in sure situations.

OpenSSL maintainers defined of their advisory:

When parsing CMS AuthEnvelopedData constructions that use AEAD ciphers equivalent to AES-GCM, the IV (Initialization Vector) encoded within the ASN.1 parameters is copied right into a fixed-size stack buffer with out verifying that its size suits the vacation spot. An attacker can provide a crafted CMS message with an outsized IV, inflicting a stack-based out-of-bounds write earlier than any authentication or tag verification happens.

Purposes and providers that parse untrusted CMS or PKCS#7 content material utilizing AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are susceptible. As a result of the overflow happens previous to authentication, no legitimate key materials is required to set off it. Whereas exploitability to distant code execution is determined by platform and toolchain mitigations, the stack-based write primitive represents a extreme threat.

The most recent OpenSSL releases additionally tackle CVE-2025-11187, a moderate-severity concern whose exploitation may additionally result in a DoS situation and even distant code execution. Commercial. Scroll to proceed studying.

The remaining flaws have been categorised as low severity. A majority of them could be exploited to trigger a DoS situation, and a pair are associated to authentication and data publicity.

Aisle identified that along with the 12 vulnerabilitites which have been assigned a CVE, it recognized six points which have been addressed previous to the affected code being included in a launch.

Associated: Microsoft Patches Workplace Zero-Day Seemingly Exploited in Focused Assaults

Associated: OpenSSL Vulnerabilities Enable Non-public Key Restoration, Code Execution, DoS Assaults

Associated: Excessive-Severity OpenSSL Vulnerability Discovered by Apple Permits MitM Assaults

Security Week News Tags:, , , , , ,

Related Posts

750,000 Impacted by Data Breach at The Alcohol & Drug Testing Service 750,000 Impacted by Data Breach at The Alcohol & Drug Testing Service Security Week News
Aisuru Botnet Powers Record DDoS Attack Peaking at 29 Tbps Aisuru Botnet Powers Record DDoS Attack Peaking at 29 Tbps Security Week News
MainStreet Bank Data Breach Impacts Customer Payment Cards  MainStreet Bank Data Breach Impacts Customer Payment Cards  Security Week News
Microsoft’s Project Ire Autonomously Reverse Engineers Software to Find Malware Microsoft’s Project Ire Autonomously Reverse Engineers Software to Find Malware Security Week News
NSO Ordered to Stop Hacking WhatsApp, but Damages Cut to Million NSO Ordered to Stop Hacking WhatsApp, but Damages Cut to $4 Million Security Week News
Chinese Hackers and User Lapses Turn Smartphones Into a ‘Mobile Security Crisis’ Chinese Hackers and User Lapses Turn Smartphones Into a ‘Mobile Security Crisis’ Security Week News