CVE-2025-52494 is a denial-of-service (DoS) vulnerability affecting the Adacore Ada Web Server (AWS) versions prior to 25.2. The vulnerability arises from improper handling of SSL/TLS handshakes during the initialization of HTTPS connections. Specifically, when a client initiates an HTTPS connection, the server begins the SSL handshake before assigning the connection to a processing slot (worker thread). However, the server does not implement a specific timeout for the handshake phase and instead relies on the default socket timeout, which is effectively infinite. An attacker can exploit this by sending a malformed TLS ClientHello message containing incorrect length values. This malformed message causes the server to wait indefinitely for data that never arrives, effectively blocking the worker thread handling that connection. By opening multiple such connections simultaneously, an attacker can exhaust all available worker threads, reaching the server's maximum connection limit. This results in the server being unable to process legitimate requests, leading to a denial-of-service condition. The vulnerability does not require authentication or user interaction and can be triggered remotely. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The root cause is a lack of proper timeout management during the SSL handshake phase, which is a critical part of establishing secure HTTPS connections.

For European organizations using the Adacore Ada Web Server, this vulnerability poses a significant risk of service disruption. The DoS condition can render web services unavailable, impacting business continuity, customer access, and potentially critical infrastructure operations if the server is used in sensitive environments. The indefinite blocking of worker threads can degrade performance and availability, leading to potential financial losses and reputational damage. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on secure web services may face increased operational risks. Additionally, the inability to handle legitimate HTTPS requests could expose organizations to secondary risks, such as loss of customer trust and compliance issues under regulations like GDPR if service availability impacts data processing obligations. Since the vulnerability can be exploited remotely without authentication, it increases the attack surface and the likelihood of opportunistic or targeted attacks.

To mitigate this vulnerability, organizations should prioritize updating the Adacore Ada Web Server to version 25.2 or later, where the issue is addressed. If immediate patching is not possible, implementing network-level protections can reduce exposure. This includes deploying Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) configured to detect and block malformed TLS ClientHello messages or anomalous SSL handshake patterns. Rate limiting connection attempts and limiting the number of simultaneous SSL handshakes per IP can help prevent resource exhaustion. Monitoring server logs for repeated handshake failures or unusual connection patterns can provide early detection of exploitation attempts. Additionally, configuring lower socket timeouts or implementing application-level handshake timeouts, if supported, can reduce the window of vulnerability. Network segmentation and isolating critical web servers behind reverse proxies or load balancers that can absorb or filter malicious traffic are also recommended. Finally, organizations should maintain an incident response plan to quickly address potential DoS attacks and ensure business continuity.