CVE-2025-23419: CWE-863 Incorrect Authorization in F5 NGINX Open Source
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI Analysis
Technical Summary
CVE-2025-23419 is an authorization bypass vulnerability classified under CWE-863 affecting F5 NGINX Open Source version 1.11.4. The issue arises when multiple server blocks are configured to share the same IP address and port, and the default server enforces client certificate authentication. When TLS session tickets or SSL session caches are enabled, an attacker can exploit TLS session resumption mechanisms to bypass the client certificate authentication requirement on other servers sharing the same IP and port. This happens because session resumption allows reuse of previously established TLS sessions without revalidating client certificates, effectively circumventing the intended authentication checks. The vulnerability requires network-level access and low privileges, does not require user interaction, and impacts confidentiality by allowing unauthorized access to resources protected by client certificates. The CVSS v3.1 score is 4.3 (medium severity), reflecting the limited impact on integrity and availability but a notable confidentiality risk. No patches or known exploits are currently available, and software versions beyond end of technical support are not evaluated. This vulnerability is particularly relevant in environments where client certificate authentication is used for strong access control, such as internal APIs, administrative portals, or sensitive web services.
Potential Impact
For European organizations, this vulnerability poses a risk to systems relying on client certificate authentication for secure access control, especially in sectors like finance, healthcare, government, and critical infrastructure. Unauthorized bypass of client certificate checks can lead to exposure of sensitive data or unauthorized access to internal services. Since the vulnerability affects TLS session resumption, attackers with network access could impersonate legitimate clients without needing to present valid certificates, undermining trust in authentication mechanisms. This could facilitate lateral movement within networks or unauthorized data exfiltration. The impact is heightened in multi-tenant or shared hosting environments where multiple server blocks share IP addresses and ports. Given the medium severity and absence of known exploits, the immediate risk is moderate but could escalate if exploit code emerges. Organizations with compliance requirements around strong authentication (e.g., GDPR, NIS Directive) must consider this vulnerability seriously to avoid regulatory penalties and reputational damage.
Mitigation Recommendations
To mitigate CVE-2025-23419, organizations should first identify if they are running the affected NGINX Open Source version 1.11.4 with multiple server blocks sharing the same IP and port and enforcing client certificate authentication on the default server. Immediate steps include disabling TLS session tickets by setting 'ssl_session_tickets off;' in the NGINX configuration for the default server. Additionally, disable or carefully configure the SSL session cache to prevent session resumption from bypassing authentication. Where possible, segregate server blocks to use distinct IP addresses or ports to avoid shared session contexts. Monitor network traffic for unusual TLS session resumption patterns that could indicate exploitation attempts. Plan to upgrade to a patched version of NGINX once released by F5. Implement network segmentation and strict access controls to limit attacker access to the network layer. Finally, review and enhance logging and alerting on TLS authentication failures and session resumptions to detect potential abuse.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2025-23419: CWE-863 Incorrect Authorization in F5 NGINX Open Source
Description
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI-Powered Analysis
Technical Analysis
CVE-2025-23419 is an authorization bypass vulnerability classified under CWE-863 affecting F5 NGINX Open Source version 1.11.4. The issue arises when multiple server blocks are configured to share the same IP address and port, and the default server enforces client certificate authentication. When TLS session tickets or SSL session caches are enabled, an attacker can exploit TLS session resumption mechanisms to bypass the client certificate authentication requirement on other servers sharing the same IP and port. This happens because session resumption allows reuse of previously established TLS sessions without revalidating client certificates, effectively circumventing the intended authentication checks. The vulnerability requires network-level access and low privileges, does not require user interaction, and impacts confidentiality by allowing unauthorized access to resources protected by client certificates. The CVSS v3.1 score is 4.3 (medium severity), reflecting the limited impact on integrity and availability but a notable confidentiality risk. No patches or known exploits are currently available, and software versions beyond end of technical support are not evaluated. This vulnerability is particularly relevant in environments where client certificate authentication is used for strong access control, such as internal APIs, administrative portals, or sensitive web services.
Potential Impact
For European organizations, this vulnerability poses a risk to systems relying on client certificate authentication for secure access control, especially in sectors like finance, healthcare, government, and critical infrastructure. Unauthorized bypass of client certificate checks can lead to exposure of sensitive data or unauthorized access to internal services. Since the vulnerability affects TLS session resumption, attackers with network access could impersonate legitimate clients without needing to present valid certificates, undermining trust in authentication mechanisms. This could facilitate lateral movement within networks or unauthorized data exfiltration. The impact is heightened in multi-tenant or shared hosting environments where multiple server blocks share IP addresses and ports. Given the medium severity and absence of known exploits, the immediate risk is moderate but could escalate if exploit code emerges. Organizations with compliance requirements around strong authentication (e.g., GDPR, NIS Directive) must consider this vulnerability seriously to avoid regulatory penalties and reputational damage.
Mitigation Recommendations
To mitigate CVE-2025-23419, organizations should first identify if they are running the affected NGINX Open Source version 1.11.4 with multiple server blocks sharing the same IP and port and enforcing client certificate authentication on the default server. Immediate steps include disabling TLS session tickets by setting 'ssl_session_tickets off;' in the NGINX configuration for the default server. Additionally, disable or carefully configure the SSL session cache to prevent session resumption from bypassing authentication. Where possible, segregate server blocks to use distinct IP addresses or ports to avoid shared session contexts. Monitor network traffic for unusual TLS session resumption patterns that could indicate exploitation attempts. Plan to upgrade to a patched version of NGINX once released by F5. Implement network segmentation and strict access controls to limit attacker access to the network layer. Finally, review and enhance logging and alerting on TLS authentication failures and session resumptions to detect potential abuse.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- f5
- Date Reserved
- 2025-01-22T00:17:16.444Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69091a4fc28fd46ded81d16b
Added to database: 11/3/2025, 9:10:39 PM
Last enriched: 1/24/2026, 7:17:55 PM
Last updated: 2/7/2026, 12:35:19 PM
Views: 484
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2085: Command Injection in D-Link DWR-M921
HighCVE-2026-2084: OS Command Injection in D-Link DIR-823X
HighCVE-2026-2083: SQL Injection in code-projects Social Networking Site
MediumCVE-2026-2082: OS Command Injection in D-Link DIR-823X
MediumCVE-2026-2080: Command Injection in UTT HiPER 810
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.