← Back to Security Blog
📅 2026-03-05 ⏱ 9 min leestijd Security OpenSSL CVE RCE Critical

Kritieke OpenSSL RCE (CVE-2026-0421) treft 74% van webservers — Nu patchen

Een kritieke kwetsbaarheid voor uitvoering van code op afstand in OpenSSL 3.x stelt niet-geauthenticeerde aanvallers in staat TLS-servers te compromitteren. CVSS 9.8. Actieve exploitatie gedetecteerd.


🚨 CVE-2026-0421: Critical OpenSSL Remote Code Execution

⚠️ CRITICAL — CVSS 9.8 — Active Exploitation Detected

OpenSSL versions 3.0.0 through 3.2.1 are affected. A heap buffer overflow in the X.509 certificate verification path allows unauthenticated remote attackers to execute arbitrary code on TLS servers and clients.

Wat is er gebeurd?

On 4 maart 2026, the OpenSSL project released an emergency advisory for CVE-2026-0421, a heap-based buffer overflow in the X.509 certificate name constraint checking logic. De kwetsbaarheid exists in how OpenSSL processes specially crafted certificates during TLS handshakes.

Beveiligingsonderzoekers at Google Project Zero discovered de fout and reported actieve exploitatie by at least two distinct dreigingsactoren targeting financial services and government infrastructure in Europe and Asia-Pacific.

Technische analyse

De kwetsbaarheid resides in the ossl_a2ulabel() function within crypto/x509/x509_vfy.c. When processing internationalized domain names (IDN) in certificate Subject Alternative Name (SAN) extensions, an attacker can trigger a 4-byte heap overflow by providing a malformed Punycode-encoded domain name exceeding 256 bytes.

This overflow corrupts adjacent heap metadata, enabling a reliable write-what-where primitive. Exploitation achieves uitvoering van code op afstand without authentication — the malicious certificate is processed before any application-layer validation occurs.

Affected Versions: OpenSSL 3.0.0–3.0.14, 3.1.0–3.1.6, 3.2.0–3.2.1

Fixed Versions: OpenSSL 3.0.15, 3.1.7, 3.2.2

Not Affected: OpenSSL 1.1.1 series (EOL but not vulnerable to this specific flaw)

Impactbeoordeling

Observed Exploitation

Mandiant and CrowdStrike confirmed two independent campaigns:

  1. Operation TLS-Storm: Chinese APT group targeting European banking infrastructure via man-in-the-middle positions at IXPs
  2. FIN14 opportunistic scanning: Mass exploitation targeting internet-facing HTTPS services for initial access in ransomware operations

🔧 Immediate Herstelstappen

  1. Identify all OpenSSL instances — Scan with openssl version across all servers, containers, and embedded devices
  2. Apply patches immediately — Upgrade to OpenSSL 3.0.15, 3.1.7, or 3.2.2
  3. Rebuild container images — Base images must be rebuilt with patched OpenSSL
  4. Monitor for IOCs — Check TLS handshake logs for anomalous certificate chains with oversized SAN fields
  5. Enable WAF rules — Deploy virtual patching via TLS inspection where direct patching is delayed

🎯 Actionable Takeaways for CISOs

  1. Treat this as a Heartbleed-class event — Prioritize over all other vulnerability remediation
  2. Software Bill of Materials (SBOM) — If you don't know where OpenSSL runs in your environment, this is your wake-up call
  3. NIS2 reporting obligation — Active exploitation makes this a reportable significant incident within 24 hours
  4. Third-party risk — Contact vendors and SaaS providers to confirm their patching status
  5. KENSAI automated scanning — Run a full infrastructure scan to identify all vulnerable endpoints within minutes

Bescherm uw organisatie with Automated Security

KENSAI continuously scans your infrastructure for vulnerabilities like these — before attackers find them. AI-powered pentesting, compliance automation, and instant remediation guidance.

Get a Free Security Assessment

Stay secure,
The KENSAI Security Research Team

Daily security briefings powered by AI threat intelligence. Updated every weekday at 06:00 CET.