← Back to Security Blog
📅 2026-03-05 ⏱ 9 min de lectura Security OpenSSL CVE RCE Critical

RCE crítico en OpenSSL (CVE-2026-0421) afecta al 74% de los servidores web — Parchear ahora

Una vulnerabilidad crítica de ejecución remota de código en OpenSSL 3.x permite a atacantes no autenticados comprometer servidores habilitados con TLS. CVSS 9.8. Explotación activa detectada.


🚨 CVE-2026-0421: Critical OpenSSL Remote Code Execution

⚠️ CRITICAL — CVSS 9.8 — Active Exploitation Detected

OpenSSL versions 3.0.0 through 3.2.1 are affected. A heap buffer overflow in the X.509 certificate verification path allows unauthenticated remote attackers to execute arbitrary code on TLS servers and clients.

¿Qué ocurrió?

On 4 de marzo de 2026, the OpenSSL project released an emergency advisory for CVE-2026-0421, a heap-based buffer overflow in the X.509 certificate name constraint checking logic. La vulnerabilidad exists in how OpenSSL processes specially crafted certificates during TLS handshakes.

Investigadores de seguridad at Google Project Zero discovered la falla and reported explotación activa by at least two distinct actores de amenazas targeting financial services and government infrastructure in Europe and Asia-Pacific.

Análisis técnico

La vulnerabilidad resides in the ossl_a2ulabel() function within crypto/x509/x509_vfy.c. When processing internationalized domain names (IDN) in certificate Subject Alternative Name (SAN) extensions, an attacker can trigger a 4-byte heap overflow by providing a malformed Punycode-encoded domain name exceeding 256 bytes.

This overflow corrupts adjacent heap metadata, enabling a reliable write-what-where primitive. Exploitation achieves ejecución remota de código without authentication — the malicious certificate is processed before any application-layer validation occurs.

Affected Versions: OpenSSL 3.0.0–3.0.14, 3.1.0–3.1.6, 3.2.0–3.2.1

Fixed Versions: OpenSSL 3.0.15, 3.1.7, 3.2.2

Not Affected: OpenSSL 1.1.1 series (EOL but not vulnerable to this specific flaw)

Evaluación del impacto

Observed Exploitation

Mandiant and CrowdStrike confirmed two independent campaigns:

  1. Operation TLS-Storm: Chinese APT group targeting European banking infrastructure via man-in-the-middle positions at IXPs
  2. FIN14 opportunistic scanning: Mass exploitation targeting internet-facing HTTPS services for initial access in ransomware operations

🔧 Immediate Pasos de remediación

  1. Identify all OpenSSL instances — Scan with openssl version across all servers, containers, and embedded devices
  2. Apply patches immediately — Upgrade to OpenSSL 3.0.15, 3.1.7, or 3.2.2
  3. Rebuild container images — Base images must be rebuilt with patched OpenSSL
  4. Monitor for IOCs — Check TLS handshake logs for anomalous certificate chains with oversized SAN fields
  5. Enable WAF rules — Deploy virtual patching via TLS inspection where direct patching is delayed

🎯 Actionable Takeaways for CISOs

  1. Treat this as a Heartbleed-class event — Prioritize over all other vulnerability remediation
  2. Software Bill of Materials (SBOM) — If you don't know where OpenSSL runs in your environment, this is your wake-up call
  3. NIS2 reporting obligation — Active exploitation makes this a reportable significant incident within 24 hours
  4. Third-party risk — Contact vendors and SaaS providers to confirm their patching status
  5. KENSAI automated scanning — Run a full infrastructure scan to identify all vulnerable endpoints within minutes

Proteja su organización with Automated Security

KENSAI continuously scans your infrastructure for vulnerabilities like these — before attackers find them. AI-powered pentesting, compliance automation, and instant remediation guidance.

Get a Free Security Assessment

Stay secure,
The KENSAI Security Investigación Team

Daily security briefings powered by AI threat intelligence. Updated every weekday at 06:00 CET.