The OpenSSL Project tomorrow is scheduled to release version 3.0.7 of the popular open source encryption library that patches a critical vulnerability, the first disclosed and addressed by OpenSSL in six years.
The project's maintainers have not provided any substantial details as of yet on the vulnerability.
OpenSSL is everywhere within IT, operational technology, and connected embedded systems. Commercial and homegrown software projects include OpenSSL as their cryptographic key solution.
The affected version—3.0—was released in 2021 and is less likely to be deployed in OT environments and within critical infrastructure given their slower update cycles.
The last critical vulnerability publicly disclosed and patched by OpenSSL was in September 2016 when an emergency security update addressed a flaw introduced by an earlier update. The patch in question introduced a dangling pointer vulnerability that could lead to server crashes or remote code execution.
2014’s Heartbleed vulnerability is one of the biggest internet-wide bugs of the 21st century. Heartbleed leaked memory to any client or server that was connected, and that exposed servers to attack. It also kicked off a major patching frenzy at the time as administrators scrambled to understand where OpenSSL was deployed within their infrastructure, and whether it could be updated before exploits were made public.
It also caused OpenSSL’s handlers and the maintainers of other ubiquitous open source projects to scrutinize the security of their code and how users are impacted. Therefore, it’s critical for organizations to get ahead of this potential patching effort. The SANS Institute today published a blog recommending that in many cases, the OpenSSL command utility below would reveal whether OpenSSL 3.0 is in use.
% openssl versionSANS Institute also published a list of affected Linux distributions, which is relatively few. MacOS users are not affected because the OS users LibreSSL by default. Other software, however, may later have installed OpenSSL, according to SANS.
The National Cyber Security Centrum (NCSC-NL) is also maintaining a list of software affected by the vulnerability that users are urged to monitor.
Users should expect OpenSSL to release its update between 1 p.m. and 5 p.m. UTC.
CWE-15 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING:
A post-authenticated external control of system web interface configuration setting vulnerability exists in the Danfoss AK-SM8xxA Series prior to version 4.3.1, which could allow for a denial-of-service attack induced by improper handling of exceptional conditions.
Danfoss created release R4.3.1 to address CVE-2025-41452.
CVSS v3: 5.4
CWE-77 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('Command Injection'):
Improper neutralization of alarm-to-mail configuration fields used in an OS shell command injection in Danfoss AK-SM8xxA Series, prior to version 4.3.1, may lead to post-authenticated remote code execution on an attacked system.
Danfoss created release R4.3.1 to address CVE-2025-41451.
CVSS v3: 7.6
CWE-617 REACHABLE ASSERTION:
Affected devices do not properly validate input sent to its listening port on the local loopback interface. This could allow an unauthenticated local attacker to cause a denial of service condition.
Users are urged to update to SIMATIC RTLS Locating Manager: V3.3 or later version.
CVSS v3: 6.2
CWE-23 RELATIVE PATH TRAVERSAL:
An 'Arbitary File Deletion' in Samsung DMS (Data Management Server) allows attackers to delete arbitary files from unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 8.1
CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL'):
An 'Arbitary File Creation' in Samsung DMS (Data Management Server) allows attackers to create arbitary files in unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 7.2
