CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-49812: Apache HTTP Server: mod_ssl TLS upgrade attack

Description

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

Classification

CVE ID: CVE-2025-49812

Problem Types

CWE-287 Improper Authentication

Affected Products

Vendor: Apache Software Foundation

Product: Apache HTTP Server

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.54% (scored less or equal to compared to others)

EPSS Date: 2025-07-12 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-49812
https://httpd.apache.org/security/vulnerabilities_24.html

Timeline

2025-07-10 18:40:12 UTC
CVE

Apache HTTP Server: mod_ssl TLS upgrade attack