CVE-2025-43918 is a vulnerability identified in SSL.com’s certificate issuance process prior to the patch date of April 19, 2025. The issue arises specifically when domain validation method 3.2.2.4.14 is employed. Under this method, SSL.com processes certificate requests in a manner that allows a trusted TLS certificate to be issued for the domain name embedded in the requester's email address, even if the requester has not demonstrated administrative control over that domain. This represents a classic case of CWE-348, the use of a less trusted source for security decisions. In this context, the email address domain is treated as a trusted source for domain control validation, which it is not. Consequently, an attacker who can register or control an email address at a domain (for example, user@victimdomain.com) could potentially obtain a valid TLS certificate for victimdomain.com without proving ownership or control of the domain itself. This undermines the fundamental trust model of TLS certificates, which rely on certificate authorities (CAs) to verify domain control before issuance. The vulnerability does not require prior authentication beyond control of an email address and does not require user interaction beyond submitting a certificate request. Although no known exploits are currently reported in the wild, the potential for misuse is significant given the ability to impersonate domains via fraudulent certificates. The affected product is SSL.com’s certificate issuance system, which is used globally by organizations and individuals to obtain SSL/TLS certificates. The vulnerability is medium severity as classified, reflecting the moderate difficulty of exploitation balanced against the serious impact of fraudulent certificate issuance.

For European organizations, the issuance of fraudulent TLS certificates for their domains can lead to severe security consequences. Attackers could use such certificates to conduct man-in-the-middle (MITM) attacks, intercepting or altering sensitive communications under the guise of legitimate domain encryption. This can compromise confidentiality and integrity of data transmitted over HTTPS, email, and other TLS-protected protocols. Additionally, fraudulent certificates can facilitate phishing attacks by making malicious websites appear legitimate, thereby increasing the risk of credential theft and malware distribution. The trust erosion in SSL.com-issued certificates could also impact organizations relying on these certificates for secure communications, potentially leading to reputational damage and loss of customer trust. Critical sectors such as finance, healthcare, and government in Europe, which rely heavily on trusted TLS certificates, may face increased risks of data breaches and regulatory non-compliance if fraudulent certificates are exploited. The medium severity rating suggests that while exploitation requires some control over an email address at the target domain, the lack of requirement for domain administrative control lowers the barrier for attackers who can obtain such email addresses, especially in organizations with less stringent email account issuance policies.

European organizations using SSL.com certificates should immediately verify whether their certificates were issued using domain validation method 3.2.2.4.14 prior to April 19, 2025. They should consider reissuing certificates using updated validation methods or alternative certificate authorities that do not rely on email domain validation alone. Organizations should audit and tighten their email account provisioning policies to prevent unauthorized creation of email addresses under their domains. Implementing DNS-based domain validation methods (such as DNS TXT record validation) or HTTP-based validation methods can provide stronger assurance of domain control. Additionally, organizations should monitor certificate transparency logs for any unexpected certificates issued for their domains and promptly report suspicious certificates to SSL.com and relevant security authorities. Deploying strict certificate pinning or using Certificate Authority Authorization (CAA) DNS records can help restrict which CAs are authorized to issue certificates for their domains, reducing the risk of fraudulent issuance. Finally, organizations should educate their security teams about this vulnerability and incorporate certificate validation checks into their security monitoring processes.