Executive Summary

A critical remote code execution vulnerability has been identified and patched in OpenSSL, the ubiquitous cryptographic library underpinning secure communications across the internet and enterprise environments. The flaw, tracked as CVE-2025-15467, is a high-severity stack buffer overflow that can be triggered by unauthenticated attackers via maliciously crafted CMS (Cryptographic Message Syntax) messages using AEAD ciphers such as AES-GCM. This vulnerability is particularly dangerous because it is pre-authentication, does not require valid key material, and can be exploited remotely, enabling attackers to crash affected services or execute arbitrary code. There is credible evidence of exploitation in the wild, underscoring the urgency for immediate remediation.

Technical Information

CVE-2025-15467 is a stack buffer overflow vulnerability (CWE-787: Out-of-bounds Write) in the OpenSSL implementation of CMS (Cryptographic Message Syntax) when handling AuthEnvelopedData structures that utilize AEAD (Authenticated Encryption with Associated Data) ciphers, such as AES-GCM. The vulnerability arises from improper validation of the Initialization Vector (IV) length encoded in ASN.1 parameters. Specifically, the IV is copied into a fixed-size stack buffer without verifying its length, allowing an attacker to supply an oversized IV and trigger a stack-based out-of-bounds write.

This flaw is exploitable in any context where an application or service parses untrusted CMS or PKCS#7 content using AEAD ciphers. Notably, the overflow occurs before any authentication or tag verification, meaning that attackers do not need to possess valid cryptographic keys or credentials. The attack vector is remote and unauthenticated, making it highly attractive for both opportunistic and targeted threat actors.

The impact of successful exploitation includes denial of service (via application crash) and, depending on platform mitigations such as stack canaries or address space layout randomization (ASLR), potential remote code execution. The vulnerability affects all branches of OpenSSL 3.6, 3.5, 3.4, 3.3, and 3.0. Earlier versions, such as OpenSSL 1.1.1 and 1.0.2, are not affected.

The official patch, released in OpenSSL versions 3.6.1, 3.5.5, 3.4.4, 3.3.6, and 3.0.19, introduces proper bounds checking on the IV length before copying it into the stack buffer, effectively neutralizing the vulnerability. The fix is detailed in the OpenSSL Security Advisory (2026-01-27) and the corresponding GitHub commit.

From a technical perspective, the vulnerability is particularly insidious because it can be triggered in pre-authentication scenarios, such as when a server or client processes S/MIME messages, encrypted email, or other protocols leveraging CMS with AEAD ciphers. The attack does not require any prior knowledge of the system or cryptographic secrets, and can be executed simply by sending a specially crafted message to a vulnerable endpoint.

Security researchers and vendors have confirmed that exploitation is straightforward, and proof-of-concept code is available in the public domain. The vulnerability has been mapped to MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1203 (Exploitation for Client Execution), reflecting its utility in both initial access and lateral movement scenarios.

Exploitation in the Wild

Multiple cybersecurity sources, including gbhackers.com and SecurityOnline.info, have reported active exploitation of CVE-2025-15467. Notably, two malicious FortiCloud accounts were observed leveraging this vulnerability to target exposed services before being locked out on January 22, 2026. Attackers have been seen sending specially crafted CMS messages to vulnerable servers, triggering the stack overflow and, in some cases, achieving remote code execution.

Indicators of compromise include the presence of S/MIME AuthEnvelopedData messages with abnormally large IV fields, unexplained application or service crashes when parsing CMS or PKCS#7 content, and anomalous unauthenticated inbound network traffic containing oversized IVs. Organizations should be vigilant for these signs, as exploitation can occur without any authentication or prior compromise.

APT Groups using this vulnerability

As of this report, there is no public attribution of CVE-2025-15467 exploitation to specific Advanced Persistent Threat (APT) groups. However, the pre-authentication remote code execution capability, combined with evidence of exploitation in the wild, strongly suggests that both criminal and state-sponsored actors are likely to incorporate this vulnerability into their toolkits. The ease of exploitation and the ubiquity of OpenSSL in enterprise and cloud environments make this an attractive target for a wide range of threat actors, including those focused on espionage, data theft, and ransomware operations.

Affected Product Versions

The vulnerability affects all branches of OpenSSL 3.6, 3.5, 3.4, 3.3, and 3.0. Specifically, any application or service statically or dynamically linked against these versions is at risk if it processes untrusted CMS or PKCS#7 content using AEAD ciphers. Notably, OpenSSL 1.1.1 and 1.0.2 are not affected by this vulnerability. Patched versions include OpenSSL 3.6.1, 3.5.5, 3.4.4, 3.3.6, and 3.0.19. Organizations should verify the version of OpenSSL in use across all systems, including embedded devices, appliances, and third-party applications, as many vendors bundle their own copies of the library.

Workaround and Mitigation

The most effective mitigation is to upgrade OpenSSL to the latest patched version for your branch: 3.6.1, 3.5.5, 3.4.4, 3.3.6, or 3.0.19. Organizations should prioritize patching any externally exposed services that process CMS or PKCS#7 content, especially those using AEAD ciphers such as AES-GCM. In environments where immediate patching is not feasible, consider disabling or restricting the parsing of untrusted CMS or PKCS#7 content, and implement network-level controls to block unauthenticated inbound messages containing oversized IVs.

Security teams should monitor for abnormal CMS or PKCS#7 parsing activity, unexplained application crashes, and anomalous network traffic indicative of exploitation attempts. Comprehensive audits of externally facing services and applications leveraging OpenSSL are recommended to identify and remediate vulnerable instances. Additionally, organizations should review vendor advisories and apply updates to third-party products that may bundle affected versions of OpenSSL.

References

NVD: CVE-2025-15467, OpenSSL Security Advisory, OpenWall OSS-Security, SecurityOnline.info, Red Hat CVE-2025-15467, FOFA Twitter Alert, gbhackers.com.

Rescana is here for you

Rescana is committed to helping organizations proactively manage third-party risk and strengthen their cybersecurity posture. Our TPRM platform provides continuous monitoring, automated risk assessment, and actionable intelligence to help you identify and remediate vulnerabilities across your digital supply chain. If you have any questions about this advisory or require further assistance, please contact us at ops@rescana.com.