"Two of the vulnerabilities have been assigned a 'moderate severity' rating. One of them is CVE-2025-9231, which may allow an attacker to recover the private key. OpenSSL is used by many applications, websites and services for securing communications and an attacker who can obtain a private key may be able to decrypt encrypted traffic or conduct a man-in-the-middle (MitM) attack."
"CVE-2025-9230, described as an out-of-bound read/write issue that can be exploited for arbitrary code execution or DoS attacks, has also been assigned a 'moderate severity' rating. "Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low," the OpenSSL Project's security advisory explains."
Multiple OpenSSL Library versions (3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm and 1.1.1zd) were released to fix three vulnerabilities tracked as CVE-2025-9230, CVE-2025-9231 and CVE-2025-9232. Two issues received Moderate severity ratings: CVE-2025-9231 may allow private key recovery and CVE-2025-9230 is an out-of-bound read/write that could enable arbitrary code execution or DoS, though exploit probability is considered low for the latter. The SM2 implementation on 64-bit ARM platforms is specifically impacted. A third vulnerability is Low severity and can cause a crash leading to DoS. OpenSSL remains widely deployed for securing communications.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]