Data Protection

High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

A total of 12 vulnerabilities have been fixed in OpenSSL, all discovered by a single cybersecurity firm.

Published

OpenSSL patches

OpenSSL updates released on Tuesday patch a dozen vulnerabilities, including a high-severity remote code execution flaw.

All 12 vulnerabilities patched in the open source SSL/TLS toolkit were discovered by cybersecurity firm Aisle, which used an autonomous analyzer to identify the security holes.

The high-severity issue is tracked as CVE-2025-15467 and it has been described as a stack buffer overflow that could lead to a crash (DoS condition) or remote code execution in certain conditions.

OpenSSL maintainers explained in their advisory:

When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk.

The latest OpenSSL releases also address CVE-2025-11187, a moderate-severity issue whose exploitation could also lead to a DoS condition or even remote code execution. 

Advertisement. Scroll to continue reading.

The remaining flaws have been classified as low severity. A majority of them can be exploited to cause a DoS condition, and a couple are related to authentication and information exposure.

Aisle pointed out that in addition to the 12 vulnerabilitites that have been assigned a CVE, it identified six issues that have been addressed prior to the affected code being included in a release.

Related: Microsoft Patches Office Zero-Day Likely Exploited in Targeted Attacks

Related: OpenSSL Vulnerabilities Allow Private Key Recovery, Code Execution, DoS Attacks

Related: High-Severity OpenSSL Vulnerability Found by Apple Allows MitM Attacks

In this article:, , ,

Related Content

Ivanti vulnerability exploited

Vulnerabilities

Ivanti Sentry Exploitation Attempts Hitting Honeypots

The critical-severity OS command injection vulnerability allows attackers to execute arbitrary code with root privileges.

17 hours ago

Vulnerabilities

Chrome 149 Update Patches 28 Vulnerabilities

The browser refresh resolved critical and high-severity security defects, including a dozen use-after-free bugs.

17 hours ago

Government

CISA Directs Federal Agencies to Prioritize Security Patches Based on Risk

The new BOD 26-04 requires agencies to review and update vulnerability management policies with a focus on KEV catalog entries.

2 days ago

Vulnerabilities

Hackers Exploit Langflow Vulnerability for Remote Code Execution

Disclosed in March, the security defect enables unauthenticated attackers to write files to arbitrary locations on the system.

2 days ago

Vulnerabilities

Splunk, Palo Alto Networks Patch Severe Vulnerabilities

The security defects could allow attackers to create or modify arbitrary files and access and modify protected resources.

2 days ago

Vulnerabilities

Microsoft Patches Exploited Exchange Server Vulnerability

The company warned about zero-day attacks exploiting the Exchange Server vulnerability CVE-2026-42897 on May 14. 

2 days ago

ICS/OT

Critical HVAC and UPS Vulnerabilities Could Let Hackers Disrupt Data Centers

Claroty researchers have analyzed the security of Vertiv UPS network cards and the Trane Tracer SC+ HVAC controller.

3 days ago

Vulnerabilities

New Windows Zero-Day Exploit ‘RoguePlanet’ Released

Exploiting a race condition in Microsoft Defender, the exploit leads to local privilege escalation to SYSTEM.

3 days ago

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version