How to fix CVE-2025-23048?

Within 24 hours: Inventory all Apache servers running versions 2.4.35-2.4.63 and identify those with multi-virtual-host SSL configurations. Within 7 days: Enable SSLStrictSNIVHostCheck on all affected virtual hosts, disable TLS 1.3 session resumption (SSLSessionTickets off), or segregate virtual hosts to separate server instances. Within 30 days: Upgrade to Apache 2.4.64 or later when the patch is released, or implement compensating controls permanently if upgrade is not immediately feasible.

Is Tls affected by CVE-2025-23048?

This critical vulnerability allows attackers with legitimate access to one service to bypass security controls and access restricted services on the same Apache server, potentially exposing sensitive data or systems.

CVE-2025-23048

EUVD-2025-21018 CRITICAL

2025-07-10 [email protected]

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21018

CVE Published

Jul 10, 2025 - 17:15 nvd

CRITICAL 9.1

Description

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

Analysis

CVE-2025-23048 is an authentication bypass vulnerability in Apache HTTP Server 2.4.35-2.4.63 affecting mod_ssl configurations with multiple virtual hosts using different client certificate restrictions. An attacker with valid client certificates trusted by one virtual host can exploit TLS 1.3 session resumption to access another restricted virtual host if SSLStrictSNIVHostCheck is not enabled, achieving unauthorized access to confidential information and potentially modifying data. This is a network-accessible vulnerability with no authentication required and high real-world impact.

Technical Context

The vulnerability stems from improper session resumption handling in TLS 1.3 within mod_ssl (CWE-284: Improper Access Control). TLS 1.3 introduced stateless session resumption using Pre-Shared Keys (PSK), which allows clients to resume sessions without full re-authentication. In multi-virtual-host Apache configurations where each vhost enforces different SSLCACertificateFile/Path settings for client certificate validation, the session state may not be properly bound to the originating virtual host's certificate requirements. When SSLStrictSNIVHostCheck is disabled, SNI validation is insufficient to prevent cross-vhost session reuse. Affected CPE: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* (versions 2.4.35 through 2.4.63). The root cause is inadequate enforcement of access control policies across session lifecycle in a multi-tenant virtual host context (CWE-284).

Affected Products

Apache HTTP Server (2.4.35 through 2.4.63)

Remediation

- action: Upgrade Apache HTTP Server; details: Patch to version 2.4.64 or later, which includes the fix for TLS 1.3 session resumption validation across virtual hosts - action: Enable SSLStrictSNIVHostCheck; details: Set 'SSLStrictSNIVHostCheck on' in all virtual host configurations that enforce per-vhost client certificate policies. This enforces strict SNI-to-vhost matching and prevents session reuse across vhosts; applicable_versions: All 2.4.35-2.4.63 (temporary mitigation pending upgrade) - action: Disable TLS 1.3 session resumption; details: Configure 'SSLSessionTickets off' and 'SSLSessionCache none' per virtual host to disable session resumption entirely, eliminating the attack vector (performance impact acceptable for high-security deployments); applicable_versions: Temporary workaround for 2.4.35-2.4.63 - action: Implement additional vhost isolation; details: Use separate listening addresses (IP:port combinations) per virtual host instead of SNI-based sharing to enforce network-level isolation independent of TLS session handling

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +46

POC: 0

Vendor Status

Ubuntu

Priority: Medium

apache2

Release	Status	Version
trusty	needs-triage	-
upstream	released	2.4.64-1
jammy	released	2.4.52-1ubuntu4.15
noble	released	2.4.58-1ubuntu8.7
plucky	released	2.4.63-1ubuntu1.1
bionic	released	2.4.29-1ubuntu4.27+esm6
focal	released	2.4.41-4ubuntu3.23+esm2
xenial	released	2.4.18-2ubuntu3.17+esm16
questing	released	2.4.64-1ubuntu1

USN-7639-1 USN-7639-2

Debian

apache2

Release	Status	Fixed Version	Urgency
bullseye	fixed	2.4.65-1~deb11u1	-
bullseye (security)	fixed	2.4.66-1~deb11u1	-
bookworm	fixed	2.4.65-1~deb12u1	-
bookworm (security)	vulnerable	2.4.62-1~deb12u2	-
trixie	fixed	2.4.66-1~deb13u2	-
forky, sid	fixed	2.4.66-8	-
(unstable)	fixed	2.4.64-1	-

DLA-4270-1

CVE-2025-23048 vulnerability details – vuln.today

Back

CVE-2025-23048

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code