A critical vulnerability in OpenSSL, tracked as CVE-2025-0001, has been disclosed that could allow attackers to execute arbitrary code on affected servers. The flaw impacts OpenSSL versions 3.0 through 3.2 and has been assigned a CVSS score of 9.8.
Impact
The vulnerability exists in the X.509 certificate verification routine. An attacker can craft a malicious certificate that, when processed by a vulnerable server, triggers a buffer overflow leading to remote code execution.
Researchers estimate that millions of servers worldwide are running affected versions, including major cloud providers and enterprise infrastructure.
Mitigation
The OpenSSL Project has released patches for all supported versions:
- OpenSSL 3.2.1
- OpenSSL 3.1.5
- OpenSSL 3.0.13
System administrators are urged to update immediately. As a temporary workaround, disabling client certificate verification can reduce the attack surface, though this is not recommended for production environments.
Timeline
- January 10: Vulnerability reported to OpenSSL Security Team
- January 13: Patches developed and tested
- January 15: Public disclosure and patch release