CVE-2025-23048 Overview
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.
Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
Critical Impact
Access control bypass allowing unauthorized access between virtual hosts.
Affected Products
- Apache HTTP Server 2.4.35
- Apache HTTP Server 2.4.63
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to apache
- Not Available - CVE CVE-2025-23048 assigned
- Not Available - apache releases security patch
- 2025-07-10 - CVE CVE-2025-23048 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2025-23048
Vulnerability Analysis
The vulnerability exists in certain configurations of mod_ssl where multiple virtual hosts use different sets of trusted client certificates. Without enabling SSLStrictSNIVHostCheck, a client that is trusted by one virtual host may resume a session in another, unauthorized virtual host, bypassing access controls.
Root Cause
The root cause is the improper configuration handling of TLS 1.3 session resumption, where SSLStrictSNIVHostCheck is not applied across multiple virtual hosts.
Attack Vector
Network
# Example misconfiguration
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "/path/to/cert.pem"
SSLCertificateKeyFile "/path/to/key.pem"
SSLCACertificateFile "/path/to/ca.pem"
</VirtualHost>
Detection Methods for CVE-2025-23048
Indicators of Compromise
- Access logs showing unexpected access to virtual hosts
- Log entries indicating unauthorized client certificate use
- TLS session resumption in logs across different virtual hosts
Detection Strategies
Utilize SentinelOne's advanced threat detection to monitor log files for access patterns that indicate unauthorized access via TLS session resumption.
Monitoring Recommendations
Regularly check access logs for anomalies in virtual host access and implement logging for all client certificate operations across your Apache instances.
How to Mitigate CVE-2025-23048
Immediate Actions Required
- Enable SSLStrictSNIVHostCheck in all virtual host configurations.
- Review and update TLS settings to prevent unauthorized access.
- Apply all available security patches from Apache.
Patch Information
Refer to the Apache security advisory for patch details and ensure the latest patches have been applied.
Workarounds
Configure mod_ssl to ensure strict host checking is enforced by modifying the server configuration:
# Configuration example that enables strict SNI host checking
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "/path/to/cert.pem"
SSLCertificateKeyFile "/path/to/key.pem"
SSLCACertificateFile "/path/to/ca.pem"
SSLStrictSNIVHostCheck on
</VirtualHost>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
