Login Sign Up

CVE-2025-23048

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

This CVE describes an access control bypass vulnerability in Apache HTTP Server's mod_ssl module when using TLS 1.3 session resumption. Organizations running Apache 2.4.35-2.4.63 with multiple virtual hosts using different client certificate authentication configurations are affected. The vulnerability allows clients trusted for one virtual host to potentially access other virtual hosts.

💻 Affected Systems

Products:
  • Apache HTTP Server
Versions: 2.4.35 through 2.4.63
Operating Systems: All operating systems running affected Apache versions
Default Config Vulnerable: ✅ No
Notes: Only affects configurations with multiple virtual hosts using different SSLCACertificateFile/Path settings for client certificate authentication.

📦 What is this software?

Http Server by Apache

View all CVEs affecting Http Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive data or systems protected by client certificate authentication, potentially leading to data breaches or privilege escalation.

🟠

Likely Case

Access to internal applications or APIs that should be restricted to specific client certificates, potentially exposing sensitive information.

🟢

If Mitigated

Limited impact if SSLStrictSNIVHostCheck is enabled or if single virtual host configurations are used.

🌐 Internet-Facing: HIGH - Internet-facing Apache servers with client certificate authentication for multiple virtual hosts are directly exploitable.
🏢 Internal Only: MEDIUM - Internal Apache servers with the vulnerable configuration could allow lateral movement within the network.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a client certificate trusted by at least one virtual host and TLS 1.3 session resumption capabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache HTTP Server 2.4.64 or later

Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html

Restart Required: Yes

Instructions:

1. Download Apache HTTP Server 2.4.64 or later from official sources. 2. Backup current configuration. 3. Install the updated version following Apache's installation guide. 4. Restart Apache service.

🔧 Temporary Workarounds

Enable SSLStrictSNIVHostCheck

all

Enables strict Server Name Indication (SNI) host checking which prevents the bypass

SSLStrictSNIVHostCheck on

Disable TLS 1.3 session resumption

all

Prevents exploitation by disabling the vulnerable TLS 1.3 feature

SSLProtocol -all +TLSv1.2

🧯 If You Can't Patch

  • Enable SSLStrictSNIVHostCheck in all virtual host configurations
  • Consider consolidating virtual hosts or using single client certificate authority for all hosts

🔍 How to Verify

Check if Vulnerable:

Check Apache version with 'httpd -v' and verify configuration has multiple virtual hosts with different SSLCACertificateFile/Path settings and SSLStrictSNIVHostCheck disabled.

Check Version:

httpd -v

Verify Fix Applied:

Verify Apache version is 2.4.64+ with 'httpd -v' and confirm SSLStrictSNIVHostCheck is enabled in configurations.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected access patterns between virtual hosts
  • TLS 1.3 session resumption logs showing cross-host access

Network Indicators:

  • TLS 1.3 handshakes followed by cross-virtual-host requests

SIEM Query:

source="apache_access" (virtual_host_A AND client_cert_B) OR (virtual_host_B AND client_cert_A) where A and B are different virtual hosts

📊 Metadata

CVE ID: CVE-2025-23048
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-284
EPSS Score: 0.03% exploit probability (8.9th percentile)
Published: July 10, 2025
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23048, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)