CVE-2025-66614
📋 TL;DR
This vulnerability allows attackers to bypass client certificate authentication in Apache Tomcat when multiple virtual hosts are configured with different TLS authentication requirements. By sending mismatched host names in the SNI extension and HTTP host header, attackers can access protected resources without proper authentication. Only Tomcat installations with multiple virtual hosts and client certificate authentication configured at the Connector level are affected.
💻 Affected Systems
- Apache Tomcat
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized access to sensitive resources protected by client certificate authentication, potentially leading to data breaches or privilege escalation.
Likely Case
Authentication bypass allowing access to resources that should require client certificates, compromising security boundaries between virtual hosts.
If Mitigated
Limited impact if client certificate authentication is enforced at the web application level or if only single virtual host configurations are used.
🎯 Exploit Status
Exploitation requires specific configuration conditions but is straightforward once those conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.15+, 10.1.50+, 9.0.113+
Vendor Advisory: https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7
Restart Required: Yes
Instructions:
1. Download patched Tomcat version from Apache website. 2. Backup current installation. 3. Stop Tomcat service. 4. Replace Tomcat files with patched version. 5. Restart Tomcat service. 6. Verify version and functionality.
🔧 Temporary Workarounds
Enforce client certificate authentication at web application level
allConfigure client certificate authentication within web applications instead of at the Connector level
Use single virtual host configuration
allConsolidate to a single virtual host or ensure all virtual hosts have identical client certificate requirements
🧯 If You Can't Patch
- Configure all virtual hosts to require client certificate authentication uniformly
- Implement additional authentication layers at the application level
🔍 How to Verify
Check if Vulnerable:
Check Tomcat version and configuration: 1. Verify Tomcat version is in affected range. 2. Check if multiple virtual hosts are configured. 3. Verify client certificate authentication is configured at Connector level with different requirements per host.Check Version:
catalina.sh version (Unix) or catalina.bat version (Windows)Verify Fix Applied:
1. Confirm Tomcat version is 11.0.15+, 10.1.50+, or 9.0.113+. 2. Test that mismatched SNI and HTTP host headers no longer bypass authentication.📡 Detection & Monitoring
Log Indicators:
- Multiple host names in single TLS session
- Authentication failures followed by successful access with different host headers
Network Indicators:
- Mismatched SNI and HTTP Host header values in TLS handshakes
SIEM Query:
Search for TLS connections with SNI host different from HTTP Host header, followed by successful authentication