Skip to main content

TLS CVE-2025-49812

| EUVDEUVD-2025-21016 HIGH
Improper Authentication (CWE-287)
2025-07-10 security@apache.org
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
7.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21016
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
CVE Published
Jul 10, 2025 - 17:15 nvd
HIGH 7.4

DescriptionCVE.org

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

AnalysisAI

CVE-2025-49812 is an HTTP request smuggling/desynchronization vulnerability in Apache HTTP Server's mod_ssl that allows man-in-the-middle attackers to hijack HTTPS sessions by exploiting improper handling of TLS upgrades. Only Apache HTTP Server versions through 2.4.63 with 'SSLEngine optional' configurations are affected, enabling session hijacking with high confidentiality and integrity impact. The vulnerability requires network-level access and careful timing but does not require user interaction or privileges; upgrade to 2.4.64 (which removes TLS upgrade support entirely) is the recommended mitigation.

Technical ContextAI

The vulnerability exploits HTTP Upgrade mechanism (RFC 7230) combined with STARTTLS-like TLS upgrade functionality in mod_ssl. When 'SSLEngine optional' is configured, Apache allows clients to negotiate TLS upgrades mid-connection via HTTP Upgrade headers and 101 Switching Protocols responses. The root cause is CWE-287 (Improper Authentication) manifested as a desynchronization between how the proxy/server interprets request boundaries during the upgrade handshake. An attacker positioned as a MITM can send crafted HTTP requests that cause the server and client to disagree on where one request ends and another begins, allowing the attacker to inject commands into an established TLS session. This is a variant of HTTP request smuggling (CWE-444) at the TLS upgrade layer. Affected CPE: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* (versions up to 2.4.63 with mod_ssl and SSLEngine optional configuration).

RemediationAI

  • priority: CRITICAL; action: Upgrade to Apache HTTP Server 2.4.64 or later; rationale: Version 2.4.64 removes TLS upgrade support entirely, eliminating the attack surface. This is the vendor-recommended fix.
  • priority: HIGH; action: If upgrade is not immediately possible, remove or disable 'SSLEngine optional' configuration; rationale: Change SSLEngine directive from 'optional' to 'on' (require TLS) or 'off' to disable SSL/TLS entirely for affected virtual hosts. This prevents the upgrade mechanism that enables the attack.; config_example: Change: SSLEngine optional | To: SSLEngine on
  • priority: HIGH; action: Disable HTTP-to-HTTPS upgrade mechanisms; rationale: Remove or comment out HTTP Upgrade header handling and 101 Switching Protocols support if possible through mod_ssl configuration.
  • priority: MEDIUM; action: Implement MITM detection and network segmentation; rationale: Deploy certificate pinning on clients, use VPNs, and enforce internal TLS for server-to-server communication to reduce MITM risk while patching.

More in TLS

View all
CVE-2026-27180 CRITICAL POC
9.8 Feb 18

MajorDoMo home automation platform is vulnerable to unauthenticated remote code execution through supply chain compromis

CVE-2026-27944 CRITICAL POC
9.8 Mar 05

Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.

CVE-2026-27590 CRITICAL POC
9.8 Feb 24

FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to

CVE-2026-27586 CRITICAL POC
9.1 Feb 24

TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in Cli

CVE-2026-27588 CRITICAL POC
9.1 Feb 24

Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casi

CVE-2026-27587 CRITICAL POC
9.1 Feb 24

Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using altern

CVE-2026-25160 CRITICAL POC
9.1 Feb 04

Alist file manager has an improper certificate validation vulnerability allowing MITM attacks that could compromise file

CVE-2026-30851 HIGH POC
8.1 Mar 07

Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, e

CVE-2022-40620 HIGH POC
7.7 Jan 28

FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS ce

CVE-2026-30852 HIGH POC
7.5 Mar 07

Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows re

CVE-2026-25961 HIGH POC
7.5 Feb 09

SumatraPDF versions 3.5.0 through 3.5.2 fail to validate TLS certificates during software updates and execute installers

CVE-2025-68133 HIGH POC
7.4 Jan 21

EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's

Vendor StatusVendor

Ubuntu

Priority: Medium
apache2
Release Status Version
trusty needs-triage -
xenial released 2.4.18-2ubuntu3.17+esm16
upstream released 2.4.64-1
bionic released 2.4.29-1ubuntu4.27+esm6
focal released 2.4.41-4ubuntu3.23+esm2
jammy released 2.4.52-1ubuntu4.15
noble released 2.4.58-1ubuntu8.7
plucky released 2.4.63-1ubuntu1.1
questing released 2.4.64-1ubuntu1

Debian

apache2
Release Status Fixed Version Urgency
bullseye fixed 2.4.65-1~deb11u1 -
bullseye (security) fixed 2.4.66-1~deb11u1 -
bookworm fixed 2.4.65-1~deb12u1 -
bookworm (security) vulnerable 2.4.62-1~deb12u2 -
trixie fixed 2.4.66-1~deb13u2 -
forky, sid fixed 2.4.66-8 -
(unstable) fixed 2.4.64-1 -

SUSE

Severity: High
Product Status
Container suse/manager/4.3/proxy-httpd:4.3.16.9.67.10 Image SLES15-SP4-Manager-Proxy-4-3-BYOS Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image SLES15-SP4-SAP Image SLES15-SP4-SAP-Azure Image SLES15-SP4-SAP-EC2 Image SLES15-SP4-SAP-GCE Image SLES15-SP4-SAPCAL Image SLES15-SP4-SAPCAL-Azure Image SLES15-SP4-SAPCAL-EC2 Image SLES15-SP4-SAPCAL-GCE Image SLES15-SP5-SAPCAL-Azure Image SLES15-SP5-SAPCAL-EC2 Image SLES15-SP5-SAPCAL-GCE Affected
Container suse/manager/5.0/x86_64/proxy-httpd:5.0.5.1.7.26.2 Container suse/manager/5.0/x86_64/server:5.0.5.1.7.33.2 Image SLES15-SP6-SAP Image SLES15-SP6-SAP-Azure Image SLES15-SP6-SAP-EC2 Image SLES15-SP6-SAP-GCE Image SLES15-SP6-SAPCAL Image SLES15-SP6-SAPCAL-Azure Image SLES15-SP6-SAPCAL-EC2 Image SLES15-SP6-SAPCAL-GCE Affected
Container suse/multi-linux-manager/5.1/x86_64/proxy-httpd:5.1.1.8.9.2 Container suse/multi-linux-manager/5.1/x86_64/proxy-salt-broker:5.1.2.9.13.2 Container suse/multi-linux-manager/5.1/x86_64/server:5.1.1.8.7.1 Image SLES15-SP7-SAPCAL-Azure Image SLES15-SP7-SAPCAL-EC2 Image SLES15-SP7-SAPCAL-GCE Image proxy-httpd-image Image server-image Affected
SUSE Enterprise Storage 7.1 Fixed
SUSE Liberty Linux 7 LTSS Fixed

Share

CVE-2025-49812 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy