CVE-2023-6058: 
Bitdefender Total Security vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-6058) has been identified in Bitdefender Safepay's HTTPS connection handling mechanism. The vulnerability was discovered and disclosed on October 18th, 2024, affecting Bitdefender Total Security software. The issue received a high severity CVSS score of 8.6, indicating its significant potential impact on system security (Bitdefender Advisory).

The vulnerability stems from Bitdefender Safepay's improper handling of HTTPS connections when dealing with untrusted server certificates. When the product blocks a connection due to an untrusted server certificate, it allows users to add the site to exceptions. Subsequently, the product trusts the certificate for future HTTPS scans, creating a security weakness. The vulnerability has been assigned a CVSS v4.0 score of 8.6 (HIGH) with the vector string CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N (Bitdefender Advisory).

The vulnerability enables attackers to perform Man-in-the-Middle (MITM) attacks by using self-signed certificates. Once a site is added to exceptions, the attacker can potentially intercept and alter secure communications between the user and websites, compromising the confidentiality and integrity of sensitive data (Bitdefender Advisory).

Bitdefender has released an automatic update (version 27.0.25.115) that addresses this vulnerability. Users are strongly advised to ensure their Bitdefender Total Security software is updated to this version or later to mitigate the risk (Bitdefender Advisory).