Background

A critical vulnerability, CVE-2025-15467, has been identified in OpenSSL with a CVSS score of 9.8. This issue involves a stack buffer overflow that can be triggered when parsing a CMS AuthEnvelopedData message with maliciously crafted AEAD parameters. The potential impact includes Denial of Service (crash) or, critically, remote code execution.

Is DX Unified Infrastructure Management (DX UIM / Nimsoft) affected by this vulnerability?

Exploitability

The CVE-2025-15467 vulnerability, an OpenSSL stack buffer overflow occurring during CMS AuthEnvelopedData parsing, is not exploitable within the UIM (Unified Infrastructure Management) context. This is because the vulnerability is only triggered when untrusted CMS AuthEnvelopedData (commonly found in secure email formats such as S/MIME) is processed, and UIM does not utilize CMS or S/MIME parsing. Consequently, the vulnerable code path is never executed, based on the initial analysis.

Product Components

The UIM components that utilize OpenSSL versions that fall within the vulnerable range (specifically 3.0 through 3.6) are listed below.

UIM Server Components (from 23.4 CU6):

Monitoring Probes:

Release: DX UIM

Remediation Plan

UIM Core components using OpenSSL will be upgraded to version 3.5.5 in the upcoming 23.4 CU7 release, scheduled for the first week of March 2026.

The affected monitoring probes will be updated to OpenSSL 3.5.5. The ETAs for these probe updates will be provided soon, as the development team is currently working on them.