The OpenSSL Project has announced the availability of several new versions of the open source SSL/TLS toolkit, which include patches for three vulnerabilities.
Versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm and 1.1.1zd of the OpenSSL Library have been released. Most of them fix all three vulnerabilities, tracked as CVE-2025-9230, CVE-2025-9231 and CVE-2025-9232.
Two of the vulnerabilities have been assigned a ‘moderate severity’ rating. One of them is CVE-2025-9231, which may allow an attacker to recover the private key.
OpenSSL is used by many applications, websites and services for securing communications and an attacker who can obtain a private key may be able to decrypt encrypted traffic or conduct a man-in-the-middle (MitM) attack.
However, OpenSSL developers pointed out that only the SM2 algorithm implementation on 64-bit ARM platforms is impacted.
“OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts,” the developers explained. “However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue.”
CVE-2025-9230, described as an out-of-bound read/write issue that can be exploited for arbitrary code execution or DoS attacks, has also been assigned a ‘moderate severity’ rating.
“Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low,” the OpenSSL Project’s security advisory explains.
The third vulnerability is ‘low severity’ and it can be exploited to trigger a crash that can result in a DoS condition.
The security of OpenSSL has evolved a great deal since the discovery of the notorious Heartbleed vulnerability.
While some flaws have still made headlines, the number and severity of vulnerabilities found in OpenSSL in recent years has been low. Only three other issues have been resolved to date in 2025 and only one has a ‘high severity’ rating.
The high-severity issue was discovered by Apple researchers and it can allow MitM attacks.
Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
Related: Organizations Warned of Exploited Sudo Vulnerability
Related: Recent Fortra GoAnywhere MFT Vulnerability Exploited as Zero-Day
