MUST READ

OpenSSL issued security updates to fix 12 flaws, including Remote Code Execution

 | 

U.S. CISA adds a flaw in multiple Fortinet products to its Known Exploited Vulnerabilities catalog

 | 

Fortinet patches actively exploited FortiOS SSO auth bypass (CVE-2026-24858)

 | 

PackageGate bugs let attackers bypass protections in NPM, PNPM, VLT, and Bun

 | 

WhatsApp rolls out Strict Account settings to strengthen protection for high-risk users

 | 

Shadowserver finds 6,000+ likely vulnerable SmarterMail servers exposed online

 | 

U.S. CISA adds Microsoft Office, GNU InetUtils, SmarterTools SmarterMail, and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog

 | 

Amnesia RAT deployed in multi-stage phishing attacks against Russian users

 | 

Dormakaba flaws allow to access major organizations’ doors

 | 

Emergency Microsoft update fixes in-the-wild Office zero-day

 | 

ShinyHunters claims 2 Million Crunchbase records; company confirms breach

 | 

Energy sector targeted in multi-stage phishing and BEC campaign using SharePoint

 | 

North Korea–linked KONNI uses AI to build stealthy malware tooling

 | 

Russia-linked Sandworm APT implicated in major cyber attack on Poland’s power grid

 | 

Nike is investigating a possible data breach, after WorldLeaks claims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 81

 | 

Security Affairs newsletter Round 560 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Osiris ransomware emerges, leveraging BYOVD technique to kill security tools

 | 

U.S. CISA adds a flaw in Broadcom VMware vCenter Server to its Known Exploited Vulnerabilities catalog

 | 

11-Year-Old critical telnetd flaw found in GNU InetUtils (CVE-2026-24061)

 | 

OpenSSL issued security updates to fix 12 flaws, including Remote Code Execution

Pierluigi Paganini January 29, 2026

OpenSSL released security updates that address 12 flaws, including a high-severity remote code execution vulnerability.

OpenSSL issued security updates fixing 12 vulnerabilities in the open-source cryptographic library, including a high-severity remote code execution flaw.

Cybersecurity firm Aisle discovered the twelve vulnerabilities.

The addressed issues are mainly tied to memory safety, parsing robustness, and resource handling. The flaws include stack and heap overflows in PKCS#12 and CMS parsing, NULL pointer dereferences and type-confusion bugs in ASN.1, PKCS#7, QUIC, and TimeStamp handling that can cause denial of service, and out-of-bounds writes in auxiliary APIs like BIO filters. OpenSSL also corrected a logic bug in the CLI signing tool that failed to fully authenticate large inputs, a TLS 1.3 certificate compression issue that enabled memory exhaustion, and a low-level OCB mode flaw that could leave data partially unprotected.

The two most severe issues are:

  1. CVE‑2025‑15467 – CMS AuthEnvelopedData AEAD IV stack overflow – A stack buffer overflow in OpenSSL CMS/PKCS#7 AEAD parsing lets attackers supply an oversized IV that overflows a fixed stack buffer before authentication. The flaw can cause DoS or potentially lead to RCE and affects OpenSSL 3.0–3.6 when parsing untrusted AuthEnvelopedData.
  2. CVE‑2025‑11187 – PBMAC1 in PKCS#12 stack overflow / pointer issues – A validation flaw in OpenSSL PKCS#12 PBMAC1 lets attackers abuse PBKDF2 parameters to overflow a fixed 64-byte stack buffer during MAC verification. The issue can trigger DoS and potentially code execution. It affects OpenSSL 3.4–3.6 when parsing untrusted PKCS#12 files.

Other 2026 issues are assessed as Low severity in the bulletin and are primarily constrained to Denial of Service or integrity gaps in narrower usage scenarios (CLI tools, legacy PKCS#7, TimeStamp, BIO filters, OCB low‑level API, PKCS#12 parsing type confusions with DoS‑only impact).

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

encryption Hacking hacking news information security news IT Information Security OpenSSL Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini January 28, 2026
U.S. CISA adds a flaw in multiple Fortinet products to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini January 28, 2026
Fortinet patches actively exploited FortiOS SSO auth bypass (CVE-2026-24858)
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

OpenSSL issued security updates to fix 12 flaws, including Remote Code Execution

Security / January 29, 2026

U.S. CISA adds a flaw in multiple Fortinet products to its Known Exploited Vulnerabilities catalog

Security / January 28, 2026

Fortinet patches actively exploited FortiOS SSO auth bypass (CVE-2026-24858)

Security / January 28, 2026

PackageGate bugs let attackers bypass protections in NPM, PNPM, VLT, and Bun

Hacking / January 28, 2026

WhatsApp rolls out Strict Account settings to strengthen protection for high-risk users

Security / January 27, 2026