CVE-2025-23048: 
Apache HTTP Server vulnerability analysis and mitigation

In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. The vulnerability affects configurations where modssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates. The issue was discovered by researchers from Paderborn University and assigned CVE-2025-23048 (Apache Security, NVD).

The vulnerability occurs when mod_ssl is configured with multiple virtual hosts, each having different trusted client certificate restrictions (for example, using different SSLCACertificateFile/Path settings). In such configurations, a client trusted to access one virtual host may gain unauthorized access to another virtual host if SSLStrictSNIVHostCheck is not enabled in either virtual host. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) (NVD).

The vulnerability allows trusted clients to bypass access control mechanisms between different virtual hosts. A client with legitimate access to one virtual host could potentially access resources on another virtual host that they should not have permission to access (Apache Security).

Users are recommended to upgrade to Apache HTTP Server version 2.4.64, which fixes this vulnerability. Alternatively, enabling SSLStrictSNIVHostCheck in the virtual host configurations can prevent the access control bypass (Apache Security).