Overview of CVE‑2025‑15467

On January 27, 2026, the OpenSSL project published CVE‑2025‑15467, a critical vulnerability (CVSS score: 9.8) affecting OpenSSL versions 3.0 through 3.6. The issue is specific to the Cryptographic Message Syntax (CMS) functionality, particularly in the handling of AuthEnvelopedData structures. Exploitation could potentially result in a stack-based buffer overflow and potential remote code execution.

FlexNet Embedded Impact Assessment

Based on a comprehensive review, we confirm the following:

• FlexNet Embedded Client SDK kits and FlexNet Embedded Local License Servers are not impacted by CVE‑2025‑15467, as the vulnerable code path in OpenSSL is not invoked by FlexNet Embedded components.
• FlexNet Embedded Local License Servers do not use OpenSSL’s CMS or SMIME APIs. FlexNet Embedded Local License Server 2025.09 has been explicitly verified to avoid CMS-related APIs.
• Password-based CMS encryption is not used in any FlexNet Embedded components.

Required Customer Action

At the time of this assessment, no action is required by FlexNet Embedded customers or their end users.

Planned Update

As the vulnerability does not affect FlexNet Embedded Local License Server of Client SDK kits, no hotfix is required for existing FlexNet Embedded versions.

OpenSSL version 3.5.5, which includes the fix for CVE‑2025‑15467 will be included in the following FlexNet Embedded releases as part of our ongoing dependency maintenance:

• FlexNet Embedded Local License Server 2026.03
• FlexNet Embedded Client SDK kits 2026.09