On January 27, 2026, a vulnerability in the OpenSSL library was disclosed (CVE-2025-15467). This vulnerability involves a stack buffer overflow within the Cryptographic Message Syntax (CMS) parsing code.

While VIP Enterprise Gateway utilizes an affected version of OpenSSL (v3.6.0), our engineering team has completed a thorough audit and determined that Enterprise Gateway (EG) is not vulnerable to this exploit because it does not utilize the specific CMS or PKCS#7 decryption APIs required to trigger the bug.

About CVE-2025-15467

This vulnerability occurs when OpenSSL processes a CMS AuthEnvelopedData structure using AEAD ciphers (such as AES-GCM). When the library parses the message to extract the Initialization Vector (IV), it attempts to copy that IV into a fixed 16-byte buffer on the stack.

The Bug: An attacker can provide a maliciously crafted message containing an oversized IV. Because the library fails to verify the length before copying, the oversized data "overflows" the buffer, leading to a potential crash or remote code execution (RCE) before any authentication or integrity checks can occur.

Vulnerability Criteria

An application is only at risk if all of the following conditions are met:

1. Version: Uses an affected OpenSSL version (3.0.x, 3.3.x, 3.4.x, 3.5.x, 3.6.x).

2. API Usage: Calls specific CMS/PKCS#7 decryption APIs (e.g., CMS_decrypt, PKCS7_decrypt).

3. Data Source: Processes untrusted or externally provided CMS data.

4. Cipher Type: Uses AEAD ciphers within the CMS context.

Although VIP Enterprise Gateway includes OpenSSL 3.6.0, the product does not use the OpenSSL CMS module (<openssl/cms.h>) or the PKCS7_decrypt functions. Our architecture utilizes OpenSSL primarily for Transport Layer Security (TLS) and standard symmetric encryption, which are not affected by this specific vulnerability.

Impact Assessment for VIP Enterprise gateway

We have evaluated Product A against the exploitation criteria defined by OpenSSL and security researchers (JFrog).

Resolution & Recommendations

No remediation action is required for customers using VIP Enterprise gateway (EG).

Because the vulnerable code paths are never executed by Product A, the presence of the affected OpenSSL library does not pose a security risk in this context. We will continue to update the OpenSSL library in our standard maintenance releases as part of our commitment to proactive security hygiene.

References

• OpenSSL Vulnerability Library

• JFrog Security Research: CVE-2025-15467 Analysis

Note: If you are using OpenSSL in your own custom integrations outside of VIP EG product, we recommend updating your OpenSSL binaries to the latest patched version provided by the OpenSSL project.