CVE-2025-35434 is a security vulnerability identified in CISA Thorium version 1.0.0, related to improper TLS certificate validation (CWE-295) when Thorium connects to Elasticsearch services. Specifically, Thorium fails to validate the authenticity of TLS certificates presented by Elasticsearch instances, allowing an unauthenticated attacker with network access to a Thorium cluster to impersonate the Elasticsearch service. This impersonation could lead to interception or manipulation of data exchanged between Thorium and Elasticsearch, potentially undermining the confidentiality and integrity of the data. The vulnerability does not require any authentication or user interaction, but the attacker must have network access to the Thorium cluster. The flaw was fixed in Thorium version 1.1.2. The CVSS v3.1 base score is 4.2 (medium severity), reflecting the attack vector as adjacent network, high attack complexity, no privileges required, no user interaction, and limited impact on confidentiality and integrity, with no impact on availability. The vulnerability arises from a failure to properly validate TLS certificates, which is a fundamental security control to prevent man-in-the-middle (MITM) attacks. Without proper validation, an attacker could present a fraudulent certificate and intercept or alter communications between Thorium and Elasticsearch, potentially leading to data leakage or corruption. Since Elasticsearch is often used for logging, monitoring, and analytics, compromised data integrity or confidentiality could affect security monitoring and operational awareness.

For European organizations using CISA Thorium 1.0.0 integrated with Elasticsearch, this vulnerability poses a risk of man-in-the-middle attacks on the communication channel between Thorium and Elasticsearch. This could lead to unauthorized data exposure or manipulation, undermining trust in security monitoring and analytics data. Confidentiality impact is limited but non-negligible, especially if sensitive logs or security event data are transmitted. Integrity impact could affect decision-making based on corrupted or falsified data. Availability is not impacted. Given the medium CVSS score and the requirement for network access to the Thorium cluster, the threat is moderate but should not be ignored. Organizations in regulated sectors such as finance, healthcare, and critical infrastructure in Europe could face compliance risks if security monitoring data is compromised. Additionally, the lack of authentication requirement lowers the barrier for exploitation if network access is gained, increasing risk in environments with insufficient network segmentation or monitoring.

1. Upgrade CISA Thorium to version 1.1.2 or later, where the certificate validation issue is fixed. 2. Implement strict network segmentation to restrict access to Thorium clusters, limiting exposure to only trusted hosts and networks. 3. Use network-level encryption and monitoring tools to detect anomalous traffic patterns indicative of MITM attacks. 4. Employ mutual TLS authentication between Thorium and Elasticsearch to ensure both endpoints validate each other’s certificates. 5. Regularly audit and verify TLS configurations and certificates used by Thorium and Elasticsearch services to ensure compliance with security best practices. 6. Monitor logs for unusual connection attempts or certificate anomalies. 7. If upgrading immediately is not feasible, consider deploying network-level protections such as VPNs or IPsec tunnels to secure communications between Thorium and Elasticsearch.