CVE-2025-23419

MEDIUM

F5 NGINX 1.11.4-1.26.2 and NGINX Plus R28-R31 - Incorrect Authorization via TLS Session Resumption

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-23419. PoCs published by xitexploiter96-dot, harley-ghostie.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2025-23419, which tests for TLS session reuse vulnerabilities that may allow authentication bypass in misconfigured servers. The script connects to a server requiring client certificate authentication, establishes a TLS session, and reuses the session to access another server, checking for authentication bypass.

Description

When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Exploits (2)

nomisec WORKING POC

by xitexploiter96-dot · poc

https://github.com/xitexploiter96-dot/CVE-2025-23419

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2025-23419, which tests for TLS session reuse vulnerabilities that may allow authentication bypass in misconfigured servers. The script connects to a server requiring client certificate authentication, establishes a TLS session, and reuses the session to access another server, checking for authentication bypass.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: TLS servers with misconfigured session reuse (specific software not specified)

Auth required

Prerequisites: Python 3.x · requests · cryptography · urllib3 · client certificate and key files · target server with TLS session reuse vulnerability

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec SCANNER

by harley-ghostie · poc

https://github.com/harley-ghostie/safe-check-CVE-2025-23419

View Code ZIP pw:eip

This is a heuristic scanner for CVE-2025-23419, an NGINX mTLS bypass vulnerability via TLS session resumption. It checks for vulnerable NGINX versions, mTLS requirements, and TLS session resumption support without exploiting the vulnerability.

Classification

Scanner 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Theoretical

Target: NGINX versions before 1.26.3 and 1.27.4

No auth needed

Prerequisites: Network access to the target NGINX server · TLS/SSL enabled on the target server

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2025/02/05/8

Issue Tracking, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2025/03/msg00017.html

Vendor Advisory vendor-advisory

https://my.f5.com/manage/s/article/K000149173

Scores

CVSS v3 4.3

EPSS 0.0256

EPSS Percentile 83.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (5)

debian/debian_linux 11.0

f5/nginx 1.11.4 - 1.26.3

f5/nginx_plus r32 (2 CPE variants)

f5/nginx_plus r33 (2 CPE variants)

f5/nginx_plus r28 - r32

Published Feb 05, 2025

Tracked Since Feb 18, 2026