Hitachi Energy RTU500
A series of vulnerabilities in OpenSSL and libexpat have been disclosed, affecting multiple versions. The most critical vulnerability (CVE-2025-69421) allows for Denial of Service through NULL pointer dereference when processing malformed PKCS#12 files. OpenSSL users should upgrade to the latest versions to mitigate risks.
Summary
Recent advisories highlight vulnerabilities in both OpenSSL and libexpat libraries, posing significant security concerns. The most severe issue, CVE-2025-69421, impacts OpenSSL by allowing Denial of Service attacks through NULL pointer dereference when processing malformed PKCS#12 files. This vulnerability affects versions 3.6, 3.5, 3.4, 3.3, and 1.0.2, but not the FIPS modules in these versions. Users are advised to upgrade to OpenSSL 3.6.1 or later. Additionally, libexpat vulnerabilities (CVE-2026-24515, CVE-2026-25210, CVE-2026-32776, CVE-2026-32777, and CVE-2026-32778) present varying levels of risk from NULL pointer dereferences to potential infinite loops during XML parsing. These issues affect versions before 2.7.5 and require immediate attention.
What Happened
OpenSSL has disclosed several vulnerabilities affecting its PKCS#12 processing capabilities. The most critical, CVE-2025-69421, involves a NULL pointer dereference that can lead to Denial of Service when handling malformed PKCS#12 files. This vulnerability is present in OpenSSL versions 3.6, 3.5, 3.4, 3.3, and 1.0.2, but not in the FIPS modules of these versions. The issue arises because the PKCS12_item_decrypt_d2i_ex() function fails to check if the oct parameter is NULL before dereferencing it.
In addition to OpenSSL, libexpat has multiple vulnerabilities affecting its XML parsing capabilities. These include:
- CVE-2026-24515: A NULL pointer dereference in the
setContextfunction after an out-of-memory condition. - CVE-2026-25210: Improper buffer size determination during tag buffer reallocation, leading to potential high impact on confidentiality and integrity.
- CVE-2026-32776: Allows a NULL pointer dereference with empty external parameter entity content.
- CVE-2026-32777: Causes an infinite loop while parsing DTD content.
- CVE-2026-32778: Similar to CVE-2026-24515, involves a NULL pointer dereference in the
setContextfunction.
These vulnerabilities affect libexpat versions before 2.7.5 and require immediate patching.
Affected Products and Fixed Versions
OpenSSL
| Version | Vulnerable |
|---|---|
| 3.6 | Yes |
| 3.5 | Yes |
| 3.4 | Yes |
| 3.3 | Yes |
| 1.0.2 | Yes |
Fixed Versions:
- Upgrade to OpenSSL 3.6.1 for version 3.6 users.
- Upgrade to OpenSSL 3.5.5 for version 3.5 users.
- Upgrade to OpenSSL 3.4.4 for version 3.4 users.
libexpat
| Version | Vulnerable |
|---|---|
| <2.7.5 | Yes |
Fixed Versions:
- Upgrade to libexpat 2.7.5 or later.
Exploitation Status
The exploitation of these vulnerabilities requires specific conditions:
- CVE-2025-69421: An attacker must provide a malformed PKCS#12 file to an application processing it.
- libexpat Vulnerabilities: Typically require the parsing of maliciously crafted XML files.
While the impact of CVE-2025-69421 is limited to Denial of Service, other libexpat vulnerabilities can lead to more severe consequences, including potential code execution or memory disclosure.
Indicators of Compromise
Indicators for these vulnerabilities are primarily based on the processing of malformed PKCS#12 files (for OpenSSL) and malicious XML content (for libexpat). Monitoring for unusual application crashes or unexpected behavior during file parsing can serve as early warning signs.
Detection Opportunities
Organizations should implement monitoring for:
- Unusual activity in applications known to process PKCS#12 files.
- Anomalies in XML processing workflows, especially those involving external entities.
Timeline
- January 27, 2026: OpenSSL Security Advisory published.
- June 4, 2026: CISA Cybersecurity Advisories issued for ICSA-26-155-05.
Why This Matters for Defenders
The disclosed vulnerabilities in OpenSSL and libexpat highlight the importance of timely patching and monitoring. OpenSSL's widespread use in secure communications means that a Denial of Service vulnerability can have significant operational impacts. Similarly, libexpat's role in XML parsing makes it a critical component to secure against potential exploitation.
What Remains Unclear
While the vulnerabilities are well-documented, the extent of their exploitation in the wild remains unclear. Organizations should remain vigilant and consider additional security measures until patches are applied.
Defender Guidance
- Upgrade OpenSSL: Immediately upgrade to OpenSSL 3.6.1 or later for affected versions.
- Patch libexpat: Ensure all instances of libexpat are updated to version 2.7.5 or later.
- Monitor Applications: Implement monitoring for unusual behavior in applications processing PKCS#12 files and XML content.
- Review Security Policies: Reassess security policies related to file handling and parsing to mitigate risks from similar vulnerabilities in the future.
By following these steps, defenders can significantly reduce the risk posed by these vulnerabilities.
Sources
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-04
- https://openssl-library.org/news/secadv/20260127.txt
- https://github.com/openssl/openssl/commit/a2dbc539f0f9cc63832709fa5aa33ad9495eb19c
- https://github.com/openssl/openssl/commit/3524a29271f8191b8fd8a5257eb05173982a097b
- https://github.com/openssl/openssl/commit/643986985cd1c21221f941129d76fe0c2785aeb3
