CVE-2025-35434 – CISA Thorium versions before 1.1.2 fail to vali... (How to Fix)

Q: What is the severity of CVE-2025-35434?

CVE-2025-35434 has a CVSS score of 4.2 (MEDIUM). CISA Thorium versions before 1.1.2 fail to validate TLS certificates when connecting to Elasticsearch, allowing man-in-the-middle attacks. An unauthenticated attacker with network access to a Thorium cluster could impersonate the Elasticsearch service and potentially intercept or manipulate data. This affects all deployments using vulnerable Thorium versions.

📋 TL;DR

CISA Thorium versions before 1.1.2 fail to validate TLS certificates when connecting to Elasticsearch, allowing man-in-the-middle attacks. An unauthenticated attacker with network access to a Thorium cluster could impersonate the Elasticsearch service and potentially intercept or manipulate data. This affects all deployments using vulnerable Thorium versions.

💻 Affected Systems

Products:

CISA Thorium

Versions: All versions before 1.1.2

Operating Systems: All platforms running Thorium

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable in default configuration when connecting to Elasticsearch. Requires Thorium to be configured to use Elasticsearch backend.

📦 What is this software?

Thorium by Cisa

View all CVEs affecting Thorium →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept sensitive data flowing between Thorium and Elasticsearch, inject malicious data, or disrupt operations by impersonating the Elasticsearch backend.

🟠

Likely Case

Data interception leading to information disclosure of security telemetry and operational data stored in Elasticsearch.

🟢

If Mitigated

Limited impact due to network segmentation and proper TLS certificate validation in place.

🌐 Internet-Facing: MEDIUM - If Thorium is exposed to the internet, attackers could exploit this without authentication, but requires network access to intercept traffic.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to intercept sensitive data between Thorium and Elasticsearch.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires network access to intercept or spoof TLS traffic between Thorium and Elasticsearch. No authentication needed but requires man-in-the-middle position.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.2

Vendor Advisory: https://github.com/cisagov/thorium/releases/tag/1.1.2

Restart Required: No

Instructions:

1. Download Thorium version 1.1.2 or later from GitHub releases. 2. Replace existing Thorium binary with patched version. 3. Verify TLS certificate validation is now enforced in Elasticsearch connections.

🔧 Temporary Workarounds

Enforce TLS certificate validation via configuration

all

Configure Thorium to enforce TLS certificate validation for Elasticsearch connections if supported in current version.

Check Thorium configuration documentation for TLS validation settings

Network segmentation and monitoring

all

Isolate Thorium and Elasticsearch communication to trusted network segments and monitor for unusual traffic patterns.

🧯 If You Can't Patch

Implement strict network segmentation between Thorium and Elasticsearch to prevent man-in-the-middle attacks
Monitor network traffic between Thorium and Elasticsearch for suspicious TLS handshake patterns or certificate errors

🔍 How to Verify

Check if Vulnerable:

Check Thorium version. If version is below 1.1.2 and configured to use Elasticsearch backend, it is vulnerable.

Check Version:

thorium --version or check Thorium binary/package version

Verify Fix Applied:

After upgrading to 1.1.2+, verify that Thorium now validates TLS certificates when connecting to Elasticsearch by checking connection logs or testing with invalid certificates.

📡 Detection & Monitoring

Log Indicators:

Failed TLS certificate validation errors in Thorium logs
Unexpected Elasticsearch connection failures

Network Indicators:

Unencrypted or improperly encrypted traffic between Thorium and Elasticsearch
Suspicious TLS handshake patterns

SIEM Query:

source="thorium" AND ("certificate" OR "TLS" OR "SSL") AND ("fail" OR "error" OR "invalid")

📊 Metadata

CVE ID: CVE-2025-35434

CVSS v3 Score: 4.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-295

EPSS Score: 0.04% exploit probability (11th percentile)

Published: September 17, 2025

Last Updated: September 23, 2025

🔗 References

https://github.com/cisagov/thorium/blob/main/api/src/models/backends/setup/elastic_setup.rs#L36-L43 Product
https://github.com/cisagov/thorium/releases/tag/1.1.2 Release Notes
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2025-35434 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-35434, you might also want to check these: