#VU109657 Expected behavior violation in OpenSSL - CVE-2025-4575

Cybersecurity Help s.r.o.

Published: 2025-05-22

Vulnerability identifier: #VU109657

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-4575

CWE-ID: CWE-440

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability may allow an attacker to gain unauthorized access to the application.

The vulnerability exists due to an error in code related to usage of the "-addreject" option to reject certain x509 certificates. If the option is used, the certificated will be added as trusted instead of rejecting it.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

OpenSSL: 3.5.0

External links
https://openssl-library.org/news/secadv/20250522.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Expected behavior violation in OpenSSL