OpenSSL 3.x CMS AuthEnvelopedData AEAD IV stack overflow (v3.6+)
CVE-2025-15467 Published on January 27, 2026

Stack buffer overflow in CMS (Auth)EnvelopedData parsing
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

Github Repository Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-15467 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a Memory Corruption Vulnerability?

The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

CVE-2025-15467 has been classified to as a Memory Corruption vulnerability or weakness.


Products Associated with CVE-2025-15467

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-15467 are published in these products:

OpenSSL
 
Canonical Ubuntu Linux
 
Red Hat Http Server
 
Oracle
 
Siemens Simatic Easie Core Package
 
Siemens Simatic Rtls Locating Manager
 
Siemens Simatic Step 7
 
Siemens Simatic Wincc
 
Siemens Sinec Ins
 
Siemens Sinec Nms
 
Siemens Sinec Security Monitor
 

Affected Versions

OpenSSL: Siemens AI Lightweight Inference Server: Siemens Connector for Azure: Siemens Databus: Siemens HiMed Cockpit: Siemens RUGGEDCOM RM1224 LTE(4G) EU: Siemens RUGGEDCOM RM1224 LTE(4G) NAM: Siemens SCALANCE LPE9403: Siemens SCALANCE LPE9413: Siemens SCALANCE LPE9433: Siemens SCALANCE M804PB: Siemens SCALANCE M812-1 ADSL-Router family: Siemens SCALANCE M816-1 ADSL-Router family: Siemens SCALANCE M826-2 SHDSL-Router: Siemens SCALANCE M874-2: Siemens SCALANCE M874-3: Siemens SCALANCE M874-3 3G-Router (CN): Siemens SCALANCE M876-3: Siemens SCALANCE M876-3 (ROK): Siemens SCALANCE M876-4: Siemens SCALANCE M876-4 (EU): Siemens SCALANCE M876-4 (NAM): Siemens SCALANCE MUB852-1 (A1): Siemens SCALANCE MUB852-1 (B1): Siemens SCALANCE MUM853-1 (A1): Siemens SCALANCE MUM853-1 (B1): Siemens SCALANCE MUM853-1 (EU): Siemens SCALANCE MUM856-1 (A1): Siemens SCALANCE MUM856-1 (B1): Siemens SCALANCE MUM856-1 (CN): Siemens SCALANCE MUM856-1 (EU): Siemens SCALANCE MUM856-1 (RoW): Siemens SCALANCE S615 EEC LAN-Router: Siemens SCALANCE S615 LAN-Router: Siemens SCALANCE SC622-2C: Siemens SCALANCE SC626-2C: Siemens SCALANCE SC632-2C: Siemens SCALANCE SC636-2C: Siemens SCALANCE SC642-2C: Siemens SCALANCE SC646-2C: Siemens SCALANCE WAB762-1: Siemens SCALANCE WAM763-1: Siemens SCALANCE WAM763-1 (ME): Siemens SCALANCE WAM763-1 (US): Siemens SCALANCE WAM766-1: Siemens SCALANCE WAM766-1 (ME): Siemens SCALANCE WAM766-1 (US): Siemens SCALANCE WAM766-1 EEC: Siemens SCALANCE WAM766-1 EEC (ME): Siemens SCALANCE WAM766-1 EEC (US): Siemens SCALANCE WUB762-1: Siemens SCALANCE WUB762-1 iFeatures: Siemens SCALANCE WUM763-1: Siemens SCALANCE WUM763-1: Siemens SCALANCE WUM763-1 (US): Siemens SCALANCE WUM763-1 (US): Siemens SCALANCE WUM766-1: Siemens SCALANCE WUM766-1 (ME): Siemens SCALANCE WUM766-1 (USA): Siemens SCALANCE X200-4P IRT: Siemens SCALANCE X200-4P IRT: Siemens SCALANCE X201-3P IRT: Siemens SCALANCE X201-3P IRT: Siemens SCALANCE X201-3P IRT PRO: Siemens SCALANCE X201-3P IRT PRO: Siemens SCALANCE X202-2IRT: Siemens SCALANCE X202-2IRT: Siemens SCALANCE X202-2P IRT: Siemens SCALANCE X202-2P IRT: Siemens SCALANCE X202-2P IRT PRO: Siemens SCALANCE X202-2P IRT PRO: Siemens SCALANCE X204-2: Siemens SCALANCE X204-2FM: Siemens SCALANCE X204-2LD: Siemens SCALANCE X204-2LD TS: Siemens SCALANCE X204-2TS: Siemens SCALANCE X204IRT: Siemens SCALANCE X204IRT: Siemens SCALANCE X204IRT PRO: Siemens SCALANCE X204IRT PRO: Siemens SCALANCE X204RNA (HSR): Siemens SCALANCE X204RNA (PRP): Siemens SCALANCE X204RNA EEC (HSR): Siemens SCALANCE X204RNA EEC (PRP): Siemens SCALANCE X204RNA EEC (PRP/HSR): Siemens SCALANCE X206-1: Siemens SCALANCE X206-1LD: Siemens SCALANCE X208: Siemens SCALANCE X208PRO: Siemens SCALANCE X212-2: Siemens SCALANCE X212-2LD: Siemens SCALANCE X216: Siemens SCALANCE X224: Siemens SCALANCE X302-7 EEC (230V, coated): Siemens SCALANCE X302-7 EEC (230V): Siemens SCALANCE X302-7 EEC (24V, coated): Siemens SCALANCE X302-7 EEC (24V): Siemens SCALANCE X302-7 EEC (2x 230V, coated): Siemens SCALANCE X302-7 EEC (2x 230V): Siemens SCALANCE X302-7 EEC (2x 24V, coated): Siemens SCALANCE X302-7 EEC (2x 24V): Siemens SCALANCE X304-2FE: Siemens SCALANCE X306-1LD FE: Siemens SCALANCE X307-2 EEC (230V, coated): Siemens SCALANCE X307-2 EEC (230V): Siemens SCALANCE X307-2 EEC (24V, coated): Siemens SCALANCE X307-2 EEC (24V): Siemens SCALANCE X307-2 EEC (2x 230V, coated): Siemens SCALANCE X307-2 EEC (2x 230V): Siemens SCALANCE X307-2 EEC (2x 24V, coated): Siemens SCALANCE X307-2 EEC (2x 24V): Siemens SCALANCE X307-3: Siemens SCALANCE X307-3: Siemens SCALANCE X307-3LD: Siemens SCALANCE X307-3LD: Siemens SCALANCE X308-2: Siemens SCALANCE X308-2: Siemens SCALANCE X308-2LD: Siemens SCALANCE X308-2LD: Siemens SCALANCE X308-2LH: Siemens SCALANCE X308-2LH: Siemens SCALANCE X308-2LH+: Siemens SCALANCE X308-2LH+: Siemens SCALANCE X308-2M: Siemens SCALANCE X308-2M: Siemens SCALANCE X308-2M PoE: Siemens SCALANCE X308-2M PoE: Siemens SCALANCE X308-2M TS: Siemens SCALANCE X308-2M TS: Siemens SCALANCE X310: Siemens SCALANCE X310: Siemens SCALANCE X310FE: Siemens SCALANCE X310FE: Siemens SCALANCE X320-1 FE: Siemens SCALANCE X320-1-2LD FE: Siemens SCALANCE X408-2: Siemens SCALANCE XC316-8: Siemens SCALANCE XC324-4: Siemens SCALANCE XC324-4 EEC: Siemens SCALANCE XC332: Siemens SCALANCE XC416-8: Siemens SCALANCE XC424-4: Siemens SCALANCE XC432: Siemens SCALANCE XF201-3P IRT: Siemens SCALANCE XF202-2P IRT: Siemens SCALANCE XF204: Siemens SCALANCE XF204-2: Siemens SCALANCE XF204-2BA IRT: Siemens SCALANCE XF204IRT: Siemens SCALANCE XF204IRT: Siemens SCALANCE XF206-1: Siemens SCALANCE XF208: Siemens SCALANCE XR302-32: Siemens SCALANCE XR302-32: Siemens SCALANCE XR302-32: Siemens SCALANCE XR322-12: Siemens SCALANCE XR322-12: Siemens SCALANCE XR322-12: Siemens SCALANCE XR324-12M (230V, ports on front): Siemens SCALANCE XR324-12M (230V, ports on front): Siemens SCALANCE XR324-12M (230V, ports on rear): Siemens SCALANCE XR324-12M (230V, ports on rear): Siemens SCALANCE XR324-12M (24V, ports on front): Siemens SCALANCE XR324-12M (24V, ports on front): Siemens SCALANCE XR324-12M (24V, ports on rear): Siemens SCALANCE XR324-12M (24V, ports on rear): Siemens SCALANCE XR324-12M TS (24V): Siemens SCALANCE XR324-12M TS (24V): Siemens SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front): Siemens SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front): Siemens SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear): Siemens SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear): Siemens SCALANCE XR324-4M EEC (24V, ports on front): Siemens SCALANCE XR324-4M EEC (24V, ports on front): Siemens SCALANCE XR324-4M EEC (24V, ports on rear): Siemens SCALANCE XR324-4M EEC (24V, ports on rear): Siemens SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front): Siemens SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front): Siemens SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear): Siemens SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear): Siemens SCALANCE XR324-4M EEC (2x 24V, ports on front): Siemens SCALANCE XR324-4M EEC (2x 24V, ports on front): Siemens SCALANCE XR324-4M EEC (2x 24V, ports on rear): Siemens SCALANCE XR324-4M EEC (2x 24V, ports on rear): Siemens SCALANCE XR324-4M PoE (230V, ports on front): Siemens SCALANCE XR324-4M PoE (230V, ports on front): Siemens SCALANCE XR324-4M PoE (230V, ports on rear): Siemens SCALANCE XR324-4M PoE (230V, ports on rear): Siemens SCALANCE XR324-4M PoE (24V, ports on front): Siemens SCALANCE XR324-4M PoE (24V, ports on front): Siemens SCALANCE XR324-4M PoE (24V, ports on rear): Siemens SCALANCE XR324-4M PoE (24V, ports on rear): Siemens SCALANCE XR324-4M PoE TS (24V, ports on front): Siemens SCALANCE XR324-4M PoE TS (24V, ports on front): Siemens SCALANCE XR326-8: Siemens SCALANCE XR326-8: Siemens SCALANCE XR326-8: Siemens SCALANCE XR326-8 EEC: Siemens SCALANCE XR502-32: Siemens SCALANCE XR502-32: Siemens SCALANCE XR502-32: Siemens SCALANCE XR522-12: Siemens SCALANCE XR522-12: Siemens SCALANCE XR522-12: Siemens SCALANCE XR524-8WG: Siemens SCALANCE XR524-8WG: Siemens SCALANCE XR524-8WG: Siemens SCALANCE XR524-8WG: Siemens SCALANCE XR526-8: Siemens SCALANCE XR526-8: Siemens SCALANCE XR526-8: Siemens Shopfloor IT Suite: Siemens SIDIS Prime: Siemens OPC UA Modelling Editor (SiOME): Siemens SIMATIC Comfort/Mobile RT: Siemens SIMATIC eaSie Core Package: Siemens SIMATIC eaSie PCS 7 Skill Package: Siemens SIMATIC HMI Basic Panels: Siemens SIMATIC HMI Comfort Panels: Siemens SIMATIC HMI Mobile Panels: Siemens SIMATIC IOT2050: Siemens SIMATIC IPC BX-21A: Siemens SIMATIC IPC MD-57A: Siemens SIMATIC IPC ORCLA: Siemens SIMATIC MV530 H: Siemens SIMATIC MV530 S: Siemens SIMATIC MV540 H: Siemens SIMATIC MV540 H CRANES: Siemens SIMATIC MV540 S: Siemens SIMATIC MV550 H: Siemens SIMATIC MV550 S: Siemens SIMATIC MV560 U: Siemens SIMATIC MV560 X: Siemens SIMATIC PDM V9.3: Siemens SIMATIC RTLS Locating Manager: Siemens SIMATIC RTLS Locating Manager: Siemens SIMATIC RTLS Locating Manager: Siemens SIMATIC RTLS Locating Manager: Siemens SIMATIC RTLS Locating Manager: Siemens SIMATIC RTLS Locating Manager: Siemens SIMATIC RTLS Locating Manager: Siemens SIMATIC STEP 7 V5: Siemens SIMATIC Target: Siemens SIMATIC WinCC OA V3.19: Siemens SIMATIC WinCC OA V3.20: Siemens SIMATIC WinCC OA V3.21: Siemens SIMATIC WinCC Runtime Advanced V17: Siemens SIMATIC WinCC Unified Sequence: Siemens SIMATIC WinCC V7.5: Siemens SIMATIC WinCC V8.0: Siemens SIMATIC WinCC V8.1: Siemens SIMOTION OACAMGEN: Siemens SIMOVE Fleetmanager V3.1: Siemens SIMOVE Fleetmanager V3.2: Siemens SIMOVE Fleetmanager V3.3: Siemens SINAMICS G200: Siemens SINAMICS G220: Siemens SINAMICS S200: Siemens SINAMICS S210: Siemens SINAMICS S220: Siemens SINEC INS: Siemens SINEC NMS: Siemens SINEC Security Monitor: Siemens SINUMERIK Access MyMachine /OPC UA: Siemens SIPLANT: Siemens SIPLUS NET SCALANCE X202-2P IRT: Siemens SIPLUS NET SCALANCE X308-2: Siemens SITRANS ASM IQ: Siemens SITRANS Soft Sensor Engine IQ (SITRANS SSE IQ): Siemens User Management Component (UMC): Siemens Visual Inspection Cockpit:

Exploit Probability

EPSS
2.89%
Percentile
86.60%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.