CVE Tools
Sign in

CVE-2025-23048

Apache HTTP Server: mod_ssl access control bypass with session resumption

Published: Jul 10, 2025Updated: Nov 4, 2025 Sources: CVE List NVD BDUCWE-284
9.1CRITICAL
NVD MITRE
EPSS Score
1.0%
Top 42.7%
CISA KEV
Not in KEV
Exploits
1 Known
Remediation
Patch Available

Description

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

No summary for this CVE yet.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:HI:HA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-284

Affected Products

http serverapache
On-premWeb App
Networking Infrastructure / load-balancer-proxy
Apache HTTP ServerApache Software Foundation
On-premWeb App
Networking Infrastructure / load-balancer-proxy
Suse Linux Enterprise DesktopNovell Inc.
On-premOS
Operating Systems / linux-distro
SUSE Linux Enterprise Server for SAP ApplicationsNovell Inc.
On-premOS
Operating Systems / linux-distro
OpenSUSE LeapNovell Inc.
On-premOS
Operating Systems / linux-distro
apacheoss-projectUSWeb & CMS Pluginsaka apache http server, apache httpd
apache software foundationoss-projectUSWeb & CMS Pluginsaka apache foundation
novell inc.commercialUSOperating Systems
and 14 more affected products View all →

Exploitability

1 exploit source identified

Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.

View exploit details
Official Patch Available
No detection template yetWe can run the check for you — a free external exposure review, no install. Check my exposure

References

https://httpd.apache.org/security/vulnerabilities_24.html
httpd.apache.org
http://www.openwall.com/lists/oss-security/2025/07/10/2
openwall.com
http://www.openwall.com/lists/oss-security/2025/07/10/8
openwall.com
and 16 more references View all →

Timeline

Published
Jul 10, 2025
Last Updated
Nov 4, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-23048 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows