Urgent: OpenSSL Hit by Three High-Severity Security Issues
Three high-severity security issues have been discovered in OpenSSL, a widely-used software library for enabling encrypted internet connections. These vulnerabilities, identified as CVE-2025-9230, CVE-2025-9231, and CVE-2025-9232, pose significant risks to systems using OpenSSL, including potential denial-of-service attacks and private key exposure.
OpenSSL, which facilitates secure communication over the internet based on the Transport Layer Security (TLS) protocol, has been found to have several critical flaws. The OpenSSL Project has released patched versions to address these issues, with administrators urged to update to one of the following secure versions: OpenSSL 1.0.2zm, 1.1.1zd, 3.0.18, 3.2.6, 3.3.5, 3.4.3, or 3.5.4.
CVE-2025-9230, a high-severity issue, can cause errors during the decryption of certain CMS messages, potentially leading to denial-of-service attacks or code execution. Meanwhile, CVE-2025-9232 can also result in denial-of-service conditions. Attackers could exploit these vulnerabilities to potentially restore private keys under specific conditions.
Notably, CVE-2025-9231 affects only 64-bit ARM platforms and allows remote attackers to reconstruct private keys using a timing-side-channel attack in the context of SM2 signatures. The OpenSSL Project regularly issues updates to fix vulnerabilities, and patched versions are available for download to address these issues.
Malware can infiltrate PCs through these vulnerabilities, highlighting the importance of prompt action by administrators to install the secured versions of OpenSSL.
In summary, three severe security issues have been identified in OpenSSL, which could lead to denial-of-service attacks, code execution, and private key exposure. Administrators must urgently install one of the patched versions of OpenSSL to protect their systems from potential attacks. The OpenSSL Project continues to provide updates to address emerging vulnerabilities.
