IM
IronMonkey Threat Research
‹ Back to ICS Advisories

SSA-434797: Buffer Overflow Vulnerability in OpenSSL affecting Siemens Products

CRITICAL
CVSS 9.8
Date 2026-06-09T00:00:00+00:00
Source siemens-productcert
Published by Siemens ProductCERT

// Description

OpenSSL has published a stack based buffer overflow vulnerability that allows a remote attacker to cause a denial of service (DoS) or potentially allow for remote code execution. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.

// Vulnerabilities (1)

CVE ID CVSS Score Severity Description
CVE-2025-15467 9.8 critical
CVE-2025-15467. Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

// Affected Products (218)

Vendor Product Asset Type Purdue Level Firmware
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown hmi
L2
--
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown hmi
L2
--
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown engineering_workstation
L3
--
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown hmi
L2
--
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown hmi
L2
--
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown hmi
L2
--
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown hmi
L2
--
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown hmi
L2
--
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown hmi
L2
--
Siemens Unknown network_device -- --
Siemens Unknown hmi
L2
--
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- vers:all/*
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --

// Remediations (26)

Patch: The problem is corrected in the following product version: - AC500 V3 firmware version 3.9.0 HF1 AB
The problem is corrected in the following product version: - AC500 V3 firmware version 3.9.0 HF1 ABB recommends that customers apply the update at earliest convenience. This firmware version is released for all AC500 V3 PLC types and available for download from the ABB library. https://search.abb.com/library/Download.aspx?DocumentID=3ADR011537&LanguageCode=en&DocumentPartId=&Action=Launch
Mitigation: The hardening instructions mentioned in the products security concept should be followed
The hardening instructions mentioned in the products security concept should be followed
Mitigation: Restrict the port at the host with the DeviceConnectionProxy to secure destinations
Restrict the port at the host with the DeviceConnectionProxy to secure destinations
Mitigation: Securing the connected email server as follows: • Configure the email server to enforce encrypted
Securing the connected email server as follows: • Configure the email server to enforce encrypted communication (TLS/SSL) for all SMTP connections. • Restrict access to the email server to trusted systems only (e.g., by using firewall rules or IP allowlists). • Ensure strong authentication to access the email server. • Keep the email server software and underlying operating system up to date with the latest security patches.
Patch: Update to V17 Update 9 or later version
Update to V17 Update 9 or later version
Patch: Update to V17.9 or later version
Update to V17.9 or later version
Patch: Update to V3.21 P02 or later version
Update to V3.21 P02 or later version
Patch: Update to V3.3.2 or later version
Update to V3.3.2 or later version
Mitigation: As a defense-in-depth measure, organizations may review whether affected systems are exposed to untr
As a defense-in-depth measure, organizations may review whether affected systems are exposed to untrusted CMS/PKCS#7 content from external sources.
Patch: Update to V3.19 P024 or later version
Update to V3.19 P024 or later version
Patch: Contact customer support [email protected]
Contact customer support [email protected]
Patch: Update to V5.7 SP4 or later version
Update to V5.7 SP4 or later version
Patch: Update to V2.15.3.0 or later version
Update to V2.15.3.0 or later version
Patch: Update to V3.20 P012 or later version
Update to V3.20 P012 or later version
Patch: Update to V17 Update 9 or later version
Update to V17 Update 9 or later version
Patch: Update to V1.0 SP2 Update 5 or later version
Update to V1.0 SP2 Update 5 or later version
Patch: Contact customer support
Contact customer support
Mitigation: Do not accept files from untrusted and unvalidated sources in the affected applications
Do not accept files from untrusted and unvalidated sources in the affected applications
Mitigation: Securing the connected email server as follows: • Configure the email server to enforce encrypted
Securing the connected email server as follows: • Configure the email server to enforce encrypted communication (TLS/SSL) for all SMTP connections. • Restrict access to the email server to trusted systems only (e.g., by using firewall rules or IP allowlists). • Ensure strong authentication to access the email server. • Keep the email server software and underlying operating system up to date with the latest security patches.
Patch: Update to V1.8.0 or later version
Update to V1.8.0 or later version
Patch: Update to V21 or later version
Update to V21 or later version
Mitigation: Refer to section “General security recommendations” for further advise on how to keep your system se
Refer to section “General security recommendations” for further advise on how to keep your system secure.
Workaround: No workarounds are available
No workarounds are available
Patch: The problem is corrected in the following product version: - AC500 V3 firmware version 3.9.0 HF1 AB
The problem is corrected in the following product version: - AC500 V3 firmware version 3.9.0 HF1 ABB recommends that customers apply the update at earliest convenience. This firmware version is released for all AC500 V3 PLC types and available for download from the ABB library. https://search.abb.com/library/Download.aspx?DocumentID=3ADR011537&LanguageCode=en&DocumentPartId=&Action=Launch
Workaround: No workarounds are available
No workarounds are available
Mitigation: Refer to section “General security recommendations” for further advise on how to keep your system se
Refer to section “General security recommendations” for further advise on how to keep your system secure.

// References