CVE-2025-23048

CRITICAL

Apache HTTP Server 2.4.35-2.4.63 - Access Control Bypass via TLS 1.3 Session Resumption

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-23048. PoCs published by absholi7ly, adminlove520.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2025-23048, demonstrating how an attacker can bypass client certificate authentication in Apache HTTP Server by leveraging TLS 1.3 session resumption across virtual hosts with different SSLCACertificateFile directives.

Description

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

Exploits (2)

github WORKING POC 4 stars

by absholi7ly · poc

https://github.com/absholi7ly/CVE-2025-23048-POC

View Code ZIP pw:eip

This repository provides a functional proof-of-concept for CVE-2025-23048, demonstrating how an attacker can bypass client certificate authentication in Apache HTTP Server by leveraging TLS 1.3 session resumption across virtual hosts with different SSLCACertificateFile directives.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Apache HTTP Server versions 2.4.35 – 2.4.62

No auth needed

Prerequisites: Valid client certificate for one virtual host · TLS 1.3 enabled on the target server · Session resumption enabled on the target server

MITRE ATT&CK

T1550.003 - Pass the Ticket

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github SCANNER 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-23048

View Code ZIP pw:eip

The repository contains a scanner for CVE-2024-21762, a Fortinet SSL VPN vulnerability, which checks for the presence of the vulnerability without exploiting it. It includes Python scripts to test individual hosts or lists of IPs for vulnerability status.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Fortinet SSL VPN

No auth needed

Prerequisites: network access to target host · SSL/TLS connectivity

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (4)

Core 4

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html

Mailing List

http://www.openwall.com/lists/oss-security/2025/07/10/2

Mailing List

http://www.openwall.com/lists/oss-security/2025/07/10/8

Vendor Advisory vendor-advisory

https://httpd.apache.org/security/vulnerabilities_24.html

Scores

CVSS v3 9.1

EPSS 0.0097

EPSS Percentile 57.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-284

Status published

Products (1)

apache/http_server 2.4.35 - 2.4.64

Published Jul 10, 2025

Tracked Since Feb 18, 2026