U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

OpenSSL issued security updates to fix 12 flaws, including Remote Code Execution

OpenSSL released security updates that address 12 flaws, including a high-severity remote code execution vulnerability. OpenSSL issued security updates fixing 12 vulnerabilities in the open-source cryptographic library, including a high-severity remote code execution flaw. Cybersecurity firm Aisle discovered the twelve vulnerabilities. The addressed issues are mainly tied to memory safety, parsing robustness, and resource handling. […]

OpenSSL

OpenSSL released security updates that address 12 flaws, including a high-severity remote code execution vulnerability.

OpenSSL issued security updates fixing 12 vulnerabilities in the open-source cryptographic library, including a high-severity remote code execution flaw.

Cybersecurity firm Aisle discovered the twelve vulnerabilities.

The addressed issues are mainly tied to memory safety, parsing robustness, and resource handling. The flaws include stack and heap overflows in PKCS#12 and CMS parsing, NULL pointer dereferences and type-confusion bugs in ASN.1, PKCS#7, QUIC, and TimeStamp handling that can cause denial of service, and out-of-bounds writes in auxiliary APIs like BIO filters. OpenSSL also corrected a logic bug in the CLI signing tool that failed to fully authenticate large inputs, a TLS 1.3 certificate compression issue that enabled memory exhaustion, and a low-level OCB mode flaw that could leave data partially unprotected.

The two most severe issues are:

  1. CVE‑2025‑15467 – CMS AuthEnvelopedData AEAD IV stack overflow – A stack buffer overflow in OpenSSL CMS/PKCS#7 AEAD parsing lets attackers supply an oversized IV that overflows a fixed stack buffer before authentication. The flaw can cause DoS or potentially lead to RCE and affects OpenSSL 3.0–3.6 when parsing untrusted AuthEnvelopedData.
  2. CVE‑2025‑11187 – PBMAC1 in PKCS#12 stack overflow / pointer issues – A validation flaw in OpenSSL PKCS#12 PBMAC1 lets attackers abuse PBKDF2 parameters to overflow a fixed 64-byte stack buffer during MAC verification. The issue can trigger DoS and potentially code execution. It affects OpenSSL 3.4–3.6 when parsing untrusted PKCS#12 files.

Other 2026 issues are assessed as Low severity in the bulletin and are primarily constrained to Denial of Service or integrity gaps in narrower usage scenarios (CLI tools, legacy PKCS#7, TimeStamp, BIO filters, OCB low‑level API, PKCS#12 parsing type confusions with DoS‑only impact).

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)