A critical vulnerability, CVE-2025-15467, has been identified in OpenSSL with a CVSS score of 9.8. This issue involves a stack buffer overflow that can be triggered when parsing a CMS AuthEnvelopedData message with maliciously crafted AEAD parameters. The potential impact includes Denial of Service (crash) or, critically, remote code execution.

Although this CVE is found in scans of the affected Layer7 products, Layer7 has assessed that this vulnerability is not exploitable in those products. There is no impact on Layer7 products. Any fixes provided will ensure that the CVE is no longer reported in security scans.

Affected product versions:

• API Gateway 11.1, 11.2
• API Developer Portal 5.3, 5.4

Although this CVE is found in scans of the affected Layer7 products, Layer7 has assessed that this vulnerability is not exploitable in those products. There is no impact on Layer7 products. Any fixes provided will ensure that the CVE is no longer reported in security scans.

For the API Gateway:

• For 11.2, the January 2026 monthly platform patch (MPP) does contain a fix. Users should apply this patch.
• For 11.1, the February 2026 monthly platform patch (MPP) will contain a fix. Users should apply this patch.

For the API Developer Portal:

• The API Portal 5.4.1 release will contain a fix. Users should upgrade to this version.