Today's cybersecurity headlines are brought to you by ThreatPerspective

OpenSSL Patches Critical Vulnerabilities to Secure Internet Communications

OpenSSL has released critical security updates to address three vulnerabilities that could have severe consequences for internet communications. Users are urged to update immediately to patch these flaws, which were found in the OpenSSL library's CMS decryption, SM2 signature computations, and DoS conditions.

The OpenSSL Project has released critical security updates to address three vulnerabilities, tracked as CVE-2025-9230, CVE-2025-9231, and CVE-2025-9232, in its open-source SSL/TLS toolkit. These patches aim to prevent potential exploitation of these flaws, which could have severe consequences for internet communications.

OpenSSL is an open-source library that provides encryption, decryption, hashing, and digital certificate management. It powers SSL/TLS protocols to secure internet communications, widely used in web servers, apps, and systems to protect sensitive data in transit and ensure privacy. The project maintainers released versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm and 1.1.1zd of the OpenSSL Library to address these vulnerabilities.

The first vulnerability, CVE-2025-9230, is an OpenSSL flaw in CMS decryption with password-based encryption (PWRI). This flaw triggers out-of-bounds read/write, causing crashes (Denial of Service) or memory corruption that may enable code execution. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Risk is limited since PWRI use is rare.

The second vulnerability, CVE-2025-9231, is a Moderate-severity issue in OpenSSL affecting SM2 signature computations on 64-bit ARM platforms. This flaw introduces a timing side-channel that could let attackers recover private keys through precise timing measurements. Although OpenSSL does not natively support SM2 keys in TLS, custom providers may enable their use, making the flaw relevant in those contexts. Remote exploitation remains theoretical but possible.

The third vulnerability is a low-severity OpenSSL issue that can cause crashes and trigger a DoS condition. Since Heartbleed, the security of the OpenSSL library has drastically improved.

In February, the OpenSSL Project addressed a high-severity vulnerability, tracked as CVE-2024-12797, in its secure communications library. This highlights the importance of staying up-to-date with the latest security patches and updates for critical software like OpenSSL.