PatchSiren cyber security CVE debrief
CVE-2025-9232 Cert Portal CVE debrief
CVE-2025-9232 describes a crash-only out-of-bounds read in OpenSSL’s HTTP client path when no_proxy is set and the URL authority host is an IPv6 address. The practical impact is denial of service for applications that pass attacker-influenced URLs into the OpenSSL HTTP client APIs. The source advisory also notes that OCSP and CMP client code paths use the same HTTP client functionality, but their URLs are unlikely to be attacker-controlled. The advisory was published on 2026-05-12 and republished/modified on 2026-05-14.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators and developers who use affected Siemens SIMATIC CN 4100 deployments, and application teams that call OpenSSL HTTP client APIs with externally influenced URLs. Also review OCSP or CMP client use if those flows rely on the same HTTP client behavior.
Technical summary
The issue is an out-of-bounds read in OpenSSL’s HTTP client API functions. It is triggered only when the no_proxy environment variable is set and the URL host portion is an IPv6 address. The advisory states the read can lead only to a crash, so the impact is denial of service rather than confidentiality or integrity compromise. The vulnerable code was introduced in patch releases 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0, and 3.5.0. The advisory also states that the FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1, and 3.0 are not affected because the HTTP client implementation is outside the FIPS boundary.
Defensive priority
Medium, with higher priority for environments where application code passes untrusted or externally influenced HTTP URLs into OpenSSL and systems commonly use no_proxy. Priority is lower when URL inputs are fully controlled and isolated.
Recommended defensive actions
- Update affected Siemens SIMATIC CN 4100 systems to V5.0 or later, per the vendor remediation.
- Review application code that uses OpenSSL HTTP client APIs to confirm whether URLs can be influenced by users or upstream systems.
- Check whether no_proxy is set in the runtime environment for affected services and document where it is required.
- If OCSP or CMP clients are used, verify their HTTP handling paths and confirm whether they inherit the same runtime conditions.
- Use the supplied CISA and Siemens advisories as the source of truth for affected product/version scope before scheduling maintenance.
Evidence notes
The source advisory text states that an OpenSSL HTTP client API path may trigger an out-of-bounds read when no_proxy is set and the host is an IPv6 address, and that the result is a crash leading to denial of service. It also states the issue was assessed as low severity because exploitation requires an attacker-controlled URL and the crash-only outcome. The supplied source metadata maps the advisory to Siemens SIMATIC CN 4100 < 5.0 and cites remediation to update to V5.0 or later. CISA’s CSAF record was published 2026-05-12 and republished 2026-05-14.
Official resources
-
CVE-2025-9232 CVE record
CVE.org
-
CVE-2025-9232 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory data in the supplied corpus was published on 2026-05-12 and modified on 2026-05-14. This debrief uses those advisory dates and does not infer an earlier issue date from the CVE identifier.