top of page
Search

FireDaemon OpenSSL Security Update: Patches Released

  • Writer: James Bourne
    James Bourne
  • 1 day ago
  • 2 min read

Updated: 15 minutes ago

January 29, 2026 - FireDaemon has released updated OpenSSL installers and binary distributions addressing multiple security vulnerabilities disclosed in the January 27, 2026 OpenSSL Security Advisory. All users are strongly encouraged to upgrade immediately.


OpenSSL logo and a lock

What's New?

FireDaemon's latest OpenSSL installers and binary distributions patch 12 security vulnerabilities (1 High, 1 Moderate, 10 Low severity), including one high-severity issue affecting CMS AuthEnvelopedData parsing. These updates ensure your systems remain secure against potential exploits including buffer overflows, denial of service attacks, and memory corruption issues.


Affected Versions and Upgrades

The following FireDaemon OpenSSL versions are now available:


  • FireDaemon OpenSSL 3.6.1

  • FireDaemon OpenSSL 3.5.5 LTS

  • FireDaemon OpenSSL 3.0.19 LTS


Key Security Fixes


High Severity

  • CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing that could lead to remote code execution. This vulnerability is particularly critical because it occurs before any cryptographic verification, meaning attackers don't need valid credentials to trigger it. Systems processing S/MIME email or encrypted documents from untrusted sources should prioritise this update immediately.


Moderate Severity

  • CVE-2025-11187: PKCS#12 PBMAC1 parameter validation issues causing potential buffer overflow. While this affects applications importing certificate bundles (.p12/.pfx files), it's uncommon in practice since PKCS#12 files typically contain private keys from trusted sources.


Low Severity Issues (10 CVEs)

Additional fixes addressing denial of service vulnerabilities including:


  • QUIC protocol cipher handling (CVE-2025-15468)

  • Command-line tool file truncation for large files >16MB (CVE-2025-15469)

  • TLS 1.3 certificate compression memory exhaustion (CVE-2025-66199)

  • Multiple PKCS#12 and PKCS#7 parsing issues

  • OCB mode authentication gaps in low-level API usage.


Why Upgrade Now?

These vulnerabilities affect applications processing untrusted data including:


  • CMS and PKCS#7 content (S/MIME messages)

  • PKCS#12 certificate files

  • TLS 1.3 connections with certificate compression

  • QUIC protocol implementations


Upgrading protects your infrastructure from potential crashes, service degradation, and in the most severe cases, remote code execution.


Who Should Prioritise This Update?


CRITICAL Priority (Immediate - 7 days):

  • Email servers processing S/MIME from external/untrusted sources

  • Document signing systems accepting CMS/PKCS#7 from external parties


HIGH Priority (14-30 days):

  • Systems importing PKCS#12 certificate bundles from untrusted sources

  • TLS 1.3 deployments with certificate compression enabled

  • Custom QUIC applications with cipher inspection


ROUTINE Priority (30+ days):

  • Standard web servers running TLS/HTTPS

  • FIPS-validated deployments (none of these vulnerabilities affect FIPS modules)

  • General security hygiene updates


Important Note: The HIGH severity CMS issue (CVE-2025-15467) is particularly dangerous because the overflow occurs before authentication—no valid cryptographic keys are needed to exploit it.


Download and Installation

Get the latest FireDaemon OpenSSL builds from our website:



About FireDaemon: FireDaemon provides enterprise-grade Windows service management solutions, maintains optimised OpenSSL builds for Windows platforms, and offers OpenSSL integration and software development services to ensure businesses have access to the latest security updates and performance improvements.

bottom of page