CVE-2025-35434 is a medium severity vulnerability identified in CISA Thorium version 1.0.0, involving improper TLS certificate validation (CWE-295) when Thorium connects to Elasticsearch services. Specifically, Thorium does not validate the authenticity of TLS certificates presented by Elasticsearch, allowing an unauthenticated attacker with network access to the Thorium cluster to impersonate the Elasticsearch service. This impersonation can lead to interception or manipulation of data exchanged between Thorium and Elasticsearch, potentially compromising data confidentiality and integrity. The vulnerability does not require user interaction or authentication, but exploitation requires network-level access to the Thorium cluster. The CVSS 3.1 base score is 4.2 (medium), reflecting low confidentiality and integrity impact, no availability impact, high attack complexity, and no privileges or user interaction required. The issue was fixed in Thorium version 1.1.2. No known exploits are currently reported in the wild. This vulnerability highlights the critical importance of proper TLS certificate validation in securing communications between components in distributed systems, especially those handling sensitive or critical data.

For European organizations using CISA Thorium 1.0.0 integrated with Elasticsearch, this vulnerability could allow attackers with network access to intercept or manipulate data exchanged between Thorium and Elasticsearch. This could lead to unauthorized data disclosure or data tampering, undermining trust in the system's outputs and potentially affecting decision-making processes or operational security. While the impact on availability is negligible, the confidentiality and integrity risks could be significant depending on the sensitivity of the data processed. Organizations in regulated sectors such as finance, healthcare, or critical infrastructure in Europe could face compliance risks under GDPR or sector-specific regulations if sensitive data is exposed or altered. The medium severity rating suggests that while the risk is not critical, it should be addressed promptly to prevent potential escalation or use in multi-stage attacks.

European organizations should immediately upgrade CISA Thorium to version 1.1.2 or later, where the TLS certificate validation issue is fixed. Until the upgrade is applied, organizations should restrict network access to the Thorium cluster to trusted hosts only, using network segmentation and firewall rules to limit exposure. Implementing mutual TLS authentication between Thorium and Elasticsearch can add an additional layer of trust verification. Monitoring network traffic for anomalous connections to Elasticsearch endpoints can help detect potential impersonation attempts. Additionally, organizations should review and enforce strict TLS configurations on Elasticsearch instances, including certificate pinning and revocation checks. Regular vulnerability scanning and penetration testing focused on TLS configurations and inter-service communications are recommended to identify similar weaknesses proactively.