Our security team has highlighted that this CVE has been found in outdated Openssl libraries, as part of the SDK, on Windows VMs. I can’t find any mention of it in the security bulletin. Does anyone have information on if this will be an issue or when it will be patched?
Hi CraigTG,
While Google Cloud manages the underlying infrastructure, vulnerabilities found within specific SDKs or third-party libraries (like OpenSSL) inside a Windows VM typically fall under the user’s portion of the Shared Responsibility Model.
If your security scanners are flagging CVE-2025-15467 in an outdated OpenSSL library:
-
Identify the SDK: Check which specific SDK is bundling the library. It is likely a Cloud SDK or a language-specific library (like Python or Node.js) installed on the VM.
-
Update the SDK: Run the update command for your environment. For the Google Cloud CLI on Windows, you can use:
gcloud components update -
Manual Patching: If the SDK hasn’t released an official patch yet, you may need to manually update the OpenSSL binaries in the SDK’s file path, though updating the parent SDK is always the cleaner route.
Keep an eye on the Google Cloud Security Bulletins, but for internal VM software, proactive updating is your best bet!