CVE-2025-49600 is a medium-severity vulnerability affecting MbedTLS versions from 3.3.0 up to but not including 3.6.4. The flaw resides in the mbedtls_lms_verify function, which is responsible for verifying LMS (Leighton-Micali Signature) signatures. The vulnerability arises because the function does not check the return values of internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value. These functions return status codes indicating success or failure, but if a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized. This leads to unpredictable signature verification results. The issue is particularly exploitable when hardware-accelerated hashing is used, as an attacker capable of inducing faults in the hardware hash accelerator can cause these functions to fail silently. By doing so, the attacker can reuse stale stack data to bypass signature verification, effectively forging LMS signatures. When the software implementation of SHA-256 is used, these functions do not fail, so the vulnerability is limited to environments using hardware acceleration. This fault injection attack vector requires the attacker to have the capability to induce hardware faults, which is a high-complexity attack scenario. The vulnerability impacts the integrity of cryptographic verification but does not affect confidentiality or availability. No known exploits are reported in the wild as of the publication date. No patches are currently linked, indicating that remediation may require upgrading beyond version 3.6.4 or applying vendor fixes once available.

For European organizations, this vulnerability poses a risk primarily to systems relying on MbedTLS for cryptographic signature verification, especially those using hardware-accelerated hashing modules. The ability to forge LMS signatures undermines the integrity of digital signatures, potentially allowing attackers to bypass authentication, validate malicious firmware or software updates, or impersonate trusted entities. This can lead to unauthorized code execution, supply chain compromise, or fraudulent transactions. Sectors such as telecommunications, critical infrastructure, IoT device manufacturers, and embedded systems developers in Europe are particularly at risk, as they often use MbedTLS in constrained environments with hardware acceleration for performance. The attack complexity is high due to the need for fault injection capabilities, which limits widespread exploitation but does not eliminate targeted attacks by sophisticated adversaries. The medium CVSS score reflects the limited attack vector and lack of confidentiality or availability impact but highlights the significant integrity risk. Organizations relying on hardware-accelerated cryptographic verification should be vigilant, as successful exploitation could undermine trust in digital signatures and cryptographic assurances.

European organizations should first identify all systems and devices using affected MbedTLS versions (3.3.0 up to 3.6.4) with hardware-accelerated hashing enabled. Immediate mitigation steps include: 1) Upgrading MbedTLS to version 3.6.4 or later where the vulnerability is fixed. 2) If upgrading is not immediately feasible, disabling hardware acceleration for hashing temporarily to force use of the software SHA-256 implementation, which is not vulnerable. 3) Implementing hardware fault detection and mitigation mechanisms to prevent fault injection attacks, such as monitoring for abnormal hardware behavior or using hardware with built-in fault resistance. 4) Enhancing code auditing and error checking in cryptographic verification functions to ensure all return values are validated. 5) Employing layered security controls such as code signing with multiple independent verification steps and runtime integrity checks to detect forged signatures. 6) Monitoring for anomalous signature verification failures or suspicious activity that may indicate exploitation attempts. These steps go beyond generic advice by focusing on the specific fault injection vector and hardware acceleration context of this vulnerability.