SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-23048

CVE-2025-23048: Apache HTTP Server Auth Bypass Vulnerability

CVE-2025-23048 is an authentication bypass vulnerability in Apache HTTP Server affecting mod_ssl configurations with TLS 1.3 session resumption. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2025-23048 Overview

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.

Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

Critical Impact

Access control bypass allowing unauthorized access between virtual hosts.

Affected Products

  • Apache HTTP Server 2.4.35
  • Apache HTTP Server 2.4.63

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to apache
  • Not Available - CVE CVE-2025-23048 assigned
  • Not Available - apache releases security patch
  • 2025-07-10 - CVE CVE-2025-23048 published to NVD
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2025-23048

Vulnerability Analysis

The vulnerability exists in certain configurations of mod_ssl where multiple virtual hosts use different sets of trusted client certificates. Without enabling SSLStrictSNIVHostCheck, a client that is trusted by one virtual host may resume a session in another, unauthorized virtual host, bypassing access controls.

Root Cause

The root cause is the improper configuration handling of TLS 1.3 session resumption, where SSLStrictSNIVHostCheck is not applied across multiple virtual hosts.

Attack Vector

Network

apache
# Example misconfiguration
<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile "/path/to/cert.pem"
    SSLCertificateKeyFile "/path/to/key.pem"
    SSLCACertificateFile "/path/to/ca.pem"
</VirtualHost>

Detection Methods for CVE-2025-23048

Indicators of Compromise

  • Access logs showing unexpected access to virtual hosts
  • Log entries indicating unauthorized client certificate use
  • TLS session resumption in logs across different virtual hosts

Detection Strategies

Utilize SentinelOne's advanced threat detection to monitor log files for access patterns that indicate unauthorized access via TLS session resumption.

Monitoring Recommendations

Regularly check access logs for anomalies in virtual host access and implement logging for all client certificate operations across your Apache instances.

How to Mitigate CVE-2025-23048

Immediate Actions Required

  • Enable SSLStrictSNIVHostCheck in all virtual host configurations.
  • Review and update TLS settings to prevent unauthorized access.
  • Apply all available security patches from Apache.

Patch Information

Refer to the Apache security advisory for patch details and ensure the latest patches have been applied.

Workarounds

Configure mod_ssl to ensure strict host checking is enforced by modifying the server configuration:

apache
# Configuration example that enables strict SNI host checking
<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile "/path/to/cert.pem"
    SSLCertificateKeyFile "/path/to/key.pem"
    SSLCACertificateFile "/path/to/ca.pem"
    SSLStrictSNIVHostCheck on
</VirtualHost>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne