Main Vulnerability Database Vulnerabilities #VU120231

Improper validation of certificate with host mismatch in Apache Log4j - CVE-2025-68161

Published: December 22, 2025

Vulnerability identifier: #VU120231

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2025-68161

CWE-ID: CWE-297

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Log4j

Detailed vulnerability description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the "verifyHostName" configuration attribute or the "log4j2.sslVerifyHostName" system property is set to true. A remote attacker can perform MitM attack and intercept or redirect the log traffic.

How to mitigate CVE-2025-68161

Install updates from vendor's website.

Sources

https://lists.apache.org/thread/tv58ozvsvt9nobwkzlhdztwq2b131f9h

Improper validation of certificate with host mismatch in Apache Log4j - CVE-2025-68161

Detailed vulnerability description

How to mitigate CVE-2025-68161

Sources

Please verify you're human