Skip to main content

TLS CVE-2025-23048

| EUVDEUVD-2025-21018 CRITICAL
Improper Access Control (CWE-284)
2025-07-10 security@apache.org
Critical
Disputed · 9.1 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Ubuntu
MEDIUM
qualitative
SUSE
CRITICAL
qualitative
Red Hat
7.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21018
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
CVE Published
Jul 10, 2025 - 17:15 nvd
CRITICAL 9.1

DescriptionCVE.org

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.

Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

AnalysisAI

CVE-2025-23048 is an authentication bypass vulnerability in Apache HTTP Server 2.4.35-2.4.63 affecting mod_ssl configurations with multiple virtual hosts using different client certificate restrictions. An attacker with valid client certificates trusted by one virtual host can exploit TLS 1.3 session resumption to access another restricted virtual host if SSLStrictSNIVHostCheck is not enabled, achieving unauthorized access to confidential information and potentially modifying data. This is a network-accessible vulnerability with no authentication required and high real-world impact.

Technical ContextAI

The vulnerability stems from improper session resumption handling in TLS 1.3 within mod_ssl (CWE-284: Improper Access Control). TLS 1.3 introduced stateless session resumption using Pre-Shared Keys (PSK), which allows clients to resume sessions without full re-authentication. In multi-virtual-host Apache configurations where each vhost enforces different SSLCACertificateFile/Path settings for client certificate validation, the session state may not be properly bound to the originating virtual host's certificate requirements. When SSLStrictSNIVHostCheck is disabled, SNI validation is insufficient to prevent cross-vhost session reuse. Affected CPE: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* (versions 2.4.35 through 2.4.63). The root cause is inadequate enforcement of access control policies across session lifecycle in a multi-tenant virtual host context (CWE-284).

RemediationAI

  • action: Upgrade Apache HTTP Server; details: Patch to version 2.4.64 or later, which includes the fix for TLS 1.3 session resumption validation across virtual hosts
  • action: Enable SSLStrictSNIVHostCheck; details: Set 'SSLStrictSNIVHostCheck on' in all virtual host configurations that enforce per-vhost client certificate policies. This enforces strict SNI-to-vhost matching and prevents session reuse across vhosts; applicable_versions: All 2.4.35-2.4.63 (temporary mitigation pending upgrade)
  • action: Disable TLS 1.3 session resumption; details: Configure 'SSLSessionTickets off' and 'SSLSessionCache none' per virtual host to disable session resumption entirely, eliminating the attack vector (performance impact acceptable for high-security deployments); applicable_versions: Temporary workaround for 2.4.35-2.4.63
  • action: Implement additional vhost isolation; details: Use separate listening addresses (IP:port combinations) per virtual host instead of SNI-based sharing to enforce network-level isolation independent of TLS session handling

More in TLS

View all
CVE-2026-27180 CRITICAL POC
9.8 Feb 18

MajorDoMo home automation platform is vulnerable to unauthenticated remote code execution through supply chain compromis

CVE-2026-27944 CRITICAL POC
9.8 Mar 05

Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.

CVE-2026-27590 CRITICAL POC
9.8 Feb 24

FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to

CVE-2026-27586 CRITICAL POC
9.1 Feb 24

TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in Cli

CVE-2026-27588 CRITICAL POC
9.1 Feb 24

Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casi

CVE-2026-27587 CRITICAL POC
9.1 Feb 24

Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using altern

CVE-2026-25160 CRITICAL POC
9.1 Feb 04

Alist file manager has an improper certificate validation vulnerability allowing MITM attacks that could compromise file

CVE-2026-30851 HIGH POC
8.1 Mar 07

Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, e

CVE-2022-40620 HIGH POC
7.7 Jan 28

FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS ce

CVE-2026-30852 HIGH POC
7.5 Mar 07

Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows re

CVE-2026-25961 HIGH POC
7.5 Feb 09

SumatraPDF versions 3.5.0 through 3.5.2 fail to validate TLS certificates during software updates and execute installers

CVE-2025-68133 HIGH POC
7.4 Jan 21

EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's

Vendor StatusVendor

Ubuntu

Priority: Medium
apache2
Release Status Version
trusty needs-triage -
upstream released 2.4.64-1
jammy released 2.4.52-1ubuntu4.15
noble released 2.4.58-1ubuntu8.7
plucky released 2.4.63-1ubuntu1.1
bionic released 2.4.29-1ubuntu4.27+esm6
focal released 2.4.41-4ubuntu3.23+esm2
xenial released 2.4.18-2ubuntu3.17+esm16
questing released 2.4.64-1ubuntu1

Debian

apache2
Release Status Fixed Version Urgency
bullseye fixed 2.4.65-1~deb11u1 -
bullseye (security) fixed 2.4.66-1~deb11u1 -
bookworm fixed 2.4.65-1~deb12u1 -
bookworm (security) vulnerable 2.4.62-1~deb12u2 -
trixie fixed 2.4.66-1~deb13u2 -
forky, sid fixed 2.4.66-8 -
(unstable) fixed 2.4.64-1 -

SUSE

Severity: Critical
Product Status
Container suse/manager/4.3/proxy-httpd:4.3.16.9.67.10 Image SLES15-SP4-Manager-Proxy-4-3-BYOS Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image SLES15-SP4-SAP Image SLES15-SP4-SAP-Azure Image SLES15-SP4-SAP-EC2 Image SLES15-SP4-SAP-GCE Image SLES15-SP4-SAPCAL Image SLES15-SP4-SAPCAL-Azure Image SLES15-SP4-SAPCAL-EC2 Image SLES15-SP4-SAPCAL-GCE Image SLES15-SP5-SAPCAL-Azure Image SLES15-SP5-SAPCAL-EC2 Image SLES15-SP5-SAPCAL-GCE Affected
Container suse/manager/5.0/x86_64/proxy-httpd:5.0.5.1.7.26.2 Container suse/manager/5.0/x86_64/server:5.0.5.1.7.33.2 Image SLES15-SP6-SAP Image SLES15-SP6-SAP-Azure Image SLES15-SP6-SAP-EC2 Image SLES15-SP6-SAP-GCE Image SLES15-SP6-SAPCAL Image SLES15-SP6-SAPCAL-Azure Image SLES15-SP6-SAPCAL-EC2 Image SLES15-SP6-SAPCAL-GCE Affected
Container suse/multi-linux-manager/5.1/x86_64/proxy-httpd:5.1.1.8.9.2 Container suse/multi-linux-manager/5.1/x86_64/proxy-salt-broker:5.1.2.9.13.2 Container suse/multi-linux-manager/5.1/x86_64/server:5.1.1.8.7.1 Image SLES15-SP7-SAPCAL-Azure Image SLES15-SP7-SAPCAL-EC2 Image SLES15-SP7-SAPCAL-GCE Image proxy-httpd-image Image server-image Affected
SUSE Enterprise Storage 7.1 Fixed
SUSE Liberty Linux 8 Fixed

Share

CVE-2025-23048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy