#VU106010 Improper certificate validation in mbed TLS - CVE-2025-27809
Published: March 25, 2025
Vulnerability identifier: #VU106010
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2025-27809
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
mbed TLS
mbed TLS
Software vendor:
ARM
ARM
Description
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists within the client authentication process during certificate-based authentication. Due to insecure default behavior, if a TLS client application does not call mbedtls_ssl_set_hostname(), the server verification step is skipped. As a result, a remote attacker can supply any valid certificate signed by a trusted CA and perform MitM attack.
Remediation
Install updates from vendor's website.