CVE-2025-15346 is a vulnerability in the wolfSSL-py package, a Python binding for the wolfSSL TLS library, specifically in the handling of the verify_mode parameter set to CERT_REQUIRED. The vulnerability arises because the implementation fails to include the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag, which is essential to enforce mandatory client certificate verification during mutual TLS (mTLS) handshakes. Without this flag, the wolfSSL-py package treats the verify_mode as if it were CERT_OPTIONAL, meaning that if a client certificate is not presented, the connection is still authenticated and allowed. This flaw effectively bypasses the core security guarantee of mTLS, which is to authenticate both server and client, thereby allowing attackers to connect without providing a valid client certificate. The vulnerability affects all versions up to and including 5.8.2, with the earliest affected version noted as 5.3.0. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/AU:Y) indicates that the attack can be performed remotely over the network without any privileges or user interaction, with high impact on confidentiality and integrity. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-287 (Improper Authentication). No public exploits have been reported yet, but the critical nature and ease of exploitation make it a significant threat to systems relying on wolfSSL-py for secure client authentication.

The primary impact of CVE-2025-15346 is the compromise of mutual TLS authentication, which is widely used to secure sensitive communications by ensuring both client and server identities are verified. For European organizations, this vulnerability can lead to unauthorized access to internal services, APIs, and sensitive data by attackers who can connect without presenting a valid client certificate. This undermines the trust model of mTLS, potentially allowing attackers to impersonate legitimate clients, conduct data exfiltration, or perform lateral movement within networks. Critical sectors such as finance, healthcare, government, and industrial control systems that rely on wolfSSL-py for secure communications are particularly at risk. The vulnerability can also facilitate man-in-the-middle attacks if combined with other weaknesses. Given the high CVSS score and the lack of required authentication or user interaction, the threat is severe and could lead to significant confidentiality and integrity breaches across affected systems in Europe.

1. Immediate mitigation involves upgrading wolfSSL-py to a version where this vulnerability is patched; monitor wolfSSL official channels for the release of a fixed version beyond 5.8.2. 2. If an upgrade is not immediately possible, configure the wolfSSL-py library explicitly to include the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag in the verify_mode settings to enforce strict client certificate verification. 3. Implement additional network-level access controls and monitoring to detect anomalous connections that do not present client certificates. 4. Employ defense-in-depth by combining mTLS with other authentication mechanisms such as OAuth or API keys where feasible. 5. Conduct thorough audits of all systems using wolfSSL-py to identify and remediate vulnerable instances. 6. Educate developers and system administrators about the correct configuration of mTLS parameters to prevent similar misconfigurations. 7. Monitor network traffic for unexpected TLS handshakes lacking client certificates in environments where mTLS is mandatory. 8. Prepare incident response plans to quickly address potential exploitation attempts once the vulnerability is publicly known.