OpenSSL 3.0.0-3.0.18, 3.3.0-3.3.5, 3.4.0-3.4.3, 3.5.0-3.5.4, 3.6.0 - Stack-based Buffer Overflow via CMS AEAD IV Parsing
Title source: llmExploitation Summary
EIP tracks 6 public exploits for CVE-2025-15467. PoCs published by guiimoraes, balgan, exploitintel.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-15467, a stack buffer overflow in OpenSSL's CMS parsing code, which can lead to remote code execution via crafted CMS AuthEnvelopedData structures.
Description
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Exploits (6)
This repository contains a functional exploit for CVE-2025-15467, a stack buffer overflow in OpenSSL's CMS parsing code, which can lead to remote code execution via crafted CMS AuthEnvelopedData structures.
This repository contains a functional DoS exploit for CVE-2025-15467, a stack buffer overflow in OpenSSL's CMS AuthEnvelopedData parsing. The exploit crafts a malformed CMS payload with an oversized IV to trigger a crash in vulnerable OpenSSL versions.
This repository contains a functional exploit PoC for CVE-2025-15467, a stack-based buffer overflow in OpenSSL's CMS AuthEnvelopedData handling. It includes a Dockerized lab environment with pinned vulnerable binaries, a custom CMS server, and a deterministic exploit script that demonstrates ROP-based RCE.
This repository contains a PowerShell scanner for detecting vulnerable OpenSSL 3.x DLLs (libcrypto-3.dll and libssl-3.dll) affected by CVE-2025-15467. It supports local and remote scanning via WinRM, with security hardening measures like UNC path blocking and HTTPS transport.
This repository contains a functional exploit PoC for CVE-2025-15467, demonstrating a stack buffer overflow in OpenSSL 3.4.0 via a maliciously crafted CMS file with an oversized GCM IV. The GitHub Actions workflow automates the build of a vulnerable OpenSSL version and triggers the crash.
This repository contains a functional exploit for CVE-2025-15467, targeting a stack buffer overflow in OpenSSL 3.4.0's `evp_cipher_get_asn1_aead_params()` function. The exploit includes a vulnerable CMS decryption service and a PoC script that demonstrates both DoS and RCE via crafted AuthEnvelopedData with oversized AEAD initialization vectors.
References (10)
Related Analysis
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H