CVE-2025-68161 – This vulnerability in Apache Log4j Core allows ... (How to Fix)

Q: What is the severity of CVE-2025-68161?

CVE-2025-68161 has a CVSS score of 4.8 (MEDIUM). This vulnerability in Apache Log4j Core allows man-in-the-middle attackers to intercept or redirect encrypted log traffic when TLS hostname verification fails, even when configured to verify. It affects systems using Log4j's Socket Appender with TLS connections.

📋 TL;DR

This vulnerability in Apache Log4j Core allows man-in-the-middle attackers to intercept or redirect encrypted log traffic when TLS hostname verification fails, even when configured to verify. It affects systems using Log4j's Socket Appender with TLS connections.

💻 Affected Systems

Products:

Apache Log4j Core

Versions: 2.0-beta9 through 2.25.2

Operating Systems: All operating systems running Java

Default Config Vulnerable: ✅ No

Notes: Only affects systems using Socket Appender with TLS connections. The verifyHostName configuration must be set to true for the vulnerability to be relevant.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive log data containing credentials, PII, or system information is intercepted by attackers, leading to data breaches or further system compromise.

🟠

Likely Case

Log data interception allowing attackers to gather intelligence about system operations, user activities, or application behavior.

🟢

If Mitigated

Minimal impact with proper network segmentation and certificate pinning, though risk remains if traffic can be intercepted.

🌐 Internet-Facing: MEDIUM - Requires both traffic interception capability and trusted certificate presentation, but internet-facing systems are more exposed to interception attempts.

🏢 Internal Only: LOW - Internal networks typically have better segmentation and monitoring, making interception more difficult but still possible with insider threats.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires both network interception capability and ability to present a trusted certificate, making it more complex than simple remote exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.25.3

Vendor Advisory: https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx

Restart Required: Yes

Instructions:

1. Download Log4j Core 2.25.3 from Apache repository. 2. Replace existing Log4j Core JAR files with new version. 3. Restart all applications using Log4j. 4. Verify configuration still works correctly.

🔧 Temporary Workarounds

Restrict Trust Store

all

Configure Socket Appender to use a private or restricted trust root to limit trusted certificates

Configure log4j2.xml with custom trustStore and trustStorePassword parameters

🧯 If You Can't Patch

Implement network segmentation to isolate log traffic from potential interception points
Use certificate pinning or implement additional encryption layer for log transport

🔍 How to Verify

Check if Vulnerable:

Check Log4j version in application classpath: java -cp "log4j-core-*.jar" org.apache.logging.log4j.core.Version

Check Version:

java -cp "log4j-core-*.jar" org.apache.logging.log4j.core.Version

Verify Fix Applied:

Verify version shows 2.25.3 or higher and test TLS connections with invalid hostnames to confirm rejection

📡 Detection & Monitoring

Log Indicators:

Unexpected certificate validation failures
Log traffic interruptions
Connection resets during TLS handshake

Network Indicators:

Unusual outbound connections from logging systems
TLS handshakes with unexpected certificates

SIEM Query:

source="log4j" AND (event="TLS_ERROR" OR event="CERTIFICATE_VALIDATION")

📊 Metadata

CVE ID: CVE-2025-68161

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-297

EPSS Score: 0.28% exploit probability (50.6th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://github.com/apache/logging-log4j2/pull/4002 Issue Tracking,Patch
https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx Mailing List
https://logging.apache.org/cyclonedx/vdr.xml Vendor Advisory
https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName Product
https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName Product
https://logging.apache.org/security.html#CVE-2025-68161 Exploit,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/18/1 Mailing List
https://lists.debian.org/debian-lts-announce/2026/01/msg00015.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68161, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Log4j by Apache

Log4j by Apache

Log4j by Apache

Log4j by Apache

Log4j by Apache

Log4j by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Trust Store

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities