OpenSSL versions 3.x contain a critical stack buffer overflow vulnerability (CVE-2025-15467, CVSS 9.8) in the CMS (Cryptographic Message Syntax) AuthEnvelopedData parsing functionality. When processing maliciously crafted AEAD (Authenticated Encryption with Associated Data) parameters, specifically oversized Initialization Vectors (IV) in ASN.1 format, an attacker could potentially trigger remote code execution (RCE) or denial of service without requiring valid key material or authentication.

The vulnerability affects applications that:

Call CMS-related APIs: CMS_decrypt, CMS_RecipientInfo_decrypt, PKCS7_decrypt, EVP_CIPHER_asn1_to_param

Use OpenSSL command-line tools: openssl cms or openssl smime

Process CMS AuthEnvelopedData messages with AEAD ciphers (e.g., AES-GCM)

NIST - CVE-2025-15467 Detail

Affected Versions:
CA Harvest SCM V14.0.5 (using OpenSSL 3.0.8)
CA Harvest SCM V14.5.01 (using OpenSSL 3.4.0)
All platforms (Windows, Linux, AIX, Solaris, macOS, ZLinux)

Harvest SCM is not affected by this vulnerability. While the product uses affected OpenSSL versions (3.0.8 and 3.4.0), the actual exploitation risk is LOW because there is no direct Vulnerability exposure i.e Harvest does not use any of the vulnerable CMS-related APIs like CMS_decrypt, CMS_RecipientInfo_decrypt PKCS7_decrypt, EVP_CIPHER_asn1_to_param, OpenSSL CMS/SMIME command-line tools, CMS AuthEnvelopedData message processing etc.

This fix is available here:

Harvest v14.5 - OpenSSL Vulnerability Remediation

The Title of the link only mentions Harvest v14.5, but please note that this fix is for Harvest 14.5 and 14.5.01.