CVE-2025-27809

MEDIUM

Mbed TLS <2.28.10 & <3.6.3 - SSL/TLS

Title source: llm

Description

Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

References (4)

[Release Notes] https://github.com/Mbed-TLS/mbedtls/releases

[Third Party Advisory] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/

[Issue Tracking] https://github.com/Mbed-TLS/mbedtls/issues/466

[Not Applicable] https://mastodon.social/@bagder/114219540623402700

Scores

CVSS v3 5.4

EPSS 0.0008

EPSS Percentile 23.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Classification

CWE

CWE-1188

Status published

Affected Products (1)

arm/mbed_tls < 2.28.10

Timeline

Published Mar 25, 2025

Tracked Since Feb 18, 2026