← volver
CVE-2025-49812

Apache HTTP Server: mod_ssl TLS upgrade attack

CVSS 7.4 HIGHEPSS 0.5%CWE-287
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Productos afectados
Apache Software Foundation · Apache HTTP Server

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://httpd.apache.org/security/vulnerabilities_24.htmlhttps://lists.debian.org/debian-lts-announce/2025/08/msg00009.htmlhttp://www.openwall.com/lists/oss-security/2025/07/09/3http://www.openwall.com/lists/oss-security/2025/07/10/2http://www.openwall.com/lists/oss-security/2025/07/10/9