The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-23419

CVE-2025-23419: F5 Nginx Auth Bypass Vulnerability

CVE-2025-23419 is an authentication bypass vulnerability in F5 Nginx that allows attackers to circumvent client certificate authentication using session resumption. This post covers technical details, affected versions, and mitigations.

Updated: January 22, 2026

CVE-2025-23419 Overview

CVE-2025-23419 is an authentication bypass vulnerability affecting F5 NGINX and NGINX Plus web servers. When multiple server blocks are configured to share the same IP address and port, an attacker can exploit TLS session resumption mechanisms to bypass client certificate authentication requirements. This vulnerability arises when TLS Session Tickets or SSL session cache are used in the default server that performs client certificate authentication.

Critical Impact

Attackers can bypass client certificate authentication on NGINX servers, potentially gaining unauthorized access to protected resources that should require valid client certificates for access.

Affected Products

  • F5 NGINX (multiple versions)
  • F5 NGINX Plus R32, R32-p1, R33, R33-p1
  • Debian Linux 11.0

Discovery Timeline

  • 2025-02-05 - CVE-2025-23419 published to NVD
  • 2025-11-12 - Last updated in NVD database

Technical Details for CVE-2025-23419

Vulnerability Analysis

This authentication bypass vulnerability (CWE-287, CWE-613) exploits a fundamental flaw in how NGINX handles TLS session resumption across multiple virtual server blocks sharing the same network endpoint. The core issue lies in the session ticket and session cache mechanisms that allow previously authenticated sessions to be resumed without re-performing the full TLS handshake, including client certificate validation.

When a default server block is configured with client certificate authentication and shares its IP address and port with other server blocks, the TLS session state from the authenticated connection can be improperly reused. An attacker who establishes a legitimate TLS session with the default server can then leverage that session's resumption ticket or cached session to access other server blocks that would normally require different or stricter client certificate authentication.

Root Cause

The root cause stems from improper session management and insufficient separation of TLS session state between virtual server blocks. NGINX's ssl_session_ticket_key and ssl_session_cache directives enable session resumption for performance optimization, but when multiple server blocks share these mechanisms on the same IP:port combination, the session authentication context is not properly isolated. This allows session credentials validated for one server block to be incorrectly accepted by another, bypassing the intended client certificate authentication requirements.

Attack Vector

The attack is network-based and can be performed remotely. An attacker exploits this vulnerability by:

  1. Establishing a legitimate TLS connection to the default server block that performs client certificate authentication
  2. Obtaining a valid TLS session ticket or having their session cached
  3. Using the session resumption mechanism to connect to other server blocks on the same IP:port
  4. The resumed session bypasses client certificate authentication checks on the target server block

This attack requires the attacker to have some level of prior access to establish an initial authenticated session, but once obtained, can be used to access resources that should require separate authentication validation.

Detection Methods for CVE-2025-23419

Indicators of Compromise

  • Unusual TLS session resumption patterns where clients access multiple virtual hosts rapidly using the same session
  • Access logs showing connections to protected resources without corresponding client certificate validation entries
  • Increased session ticket reuse across different server blocks sharing the same IP:port configuration

Detection Strategies

  • Monitor TLS handshake logs for session resumption events, particularly those accessing server blocks with client certificate requirements
  • Implement logging that correlates session ticket usage across different virtual server configurations
  • Deploy network intrusion detection rules to identify suspicious patterns of session reuse across virtual hosts
  • Audit NGINX configurations for shared IP:port bindings with differing client certificate authentication requirements

Monitoring Recommendations

  • Enable detailed SSL/TLS logging in NGINX to capture session resumption events and client certificate validation outcomes
  • Configure alerts for access to authenticated resources without corresponding client certificate handshake completion
  • Regularly review access patterns to server blocks that require client certificate authentication
  • Implement SentinelOne Singularity Platform monitoring for anomalous web server behavior and authentication bypass attempts

How to Mitigate CVE-2025-23419

Immediate Actions Required

  • Review all NGINX configurations for server blocks sharing the same IP address and port with differing client certificate authentication requirements
  • Disable TLS session tickets and session cache on affected server configurations as a temporary mitigation
  • Consider separating server blocks with client certificate requirements onto unique IP:port combinations
  • Apply vendor patches as soon as they become available from F5

Patch Information

F5 has released information regarding this vulnerability. Administrators should consult the F5 Technical Article (K000149173) for specific patch details and upgrade instructions. Debian users should refer to the Debian LTS Announcement for package updates. Additional technical details are available in the Openwall OSS Security Update.

Workarounds

  • Disable session resumption by setting ssl_session_tickets off; and removing or disabling ssl_session_cache directives in affected server blocks
  • Configure unique ssl_session_ticket_key values for each server block that requires client certificate authentication
  • Separate server blocks with client certificate authentication requirements onto different IP addresses or ports
  • Implement application-layer authentication as an additional security control
bash
# Temporary workaround configuration for NGINX
# Add to affected server blocks requiring client certificate authentication

server {
    listen 443 ssl;
    server_name secure.example.com;
    
    # Disable session tickets to prevent resumption-based bypass
    ssl_session_tickets off;
    
    # Disable shared session cache
    ssl_session_cache off;
    
    # Maintain client certificate requirement
    ssl_client_certificate /path/to/ca.crt;
    ssl_verify_client on;
    
    # Additional hardening
    ssl_protocols TLSv1.2 TLSv1.3;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechF5 Nginx
  • SeverityMEDIUM
  • CVSS Score5.3
  • EPSS Probability0.63%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-287
  • CWE-613
  • Technical References
  • Openwall OSS Security Update
  • Debian LTS Announcement
  • Vendor Resources
  • F5 Technical Article
  • Related CVEs
  • CVE-2021-3618: F5 Nginx Auth Bypass Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English