CVE-2025-6433 is a critical security vulnerability affecting Mozilla Firefox and Thunderbird versions prior to 140. The vulnerability arises from improper handling of WebAuthn authentication challenges when users visit websites with invalid TLS certificates and explicitly grant security exceptions. Under normal WebAuthn specifications, authentication challenges must be transmitted over a secure transport without errors to prevent man-in-the-middle or phishing attacks. However, this vulnerability allows a webpage with an invalid TLS certificate—accepted by the user—to issue a WebAuthn challenge, thereby bypassing the secure transport requirement. This flaw violates the WebAuthn specification and CWE-295 (Improper Certificate Validation). The attacker could exploit this by tricking users into accepting invalid TLS certificates, then prompting them to complete WebAuthn authentication, potentially leading to unauthorized credential disclosure or misuse. The vulnerability has a CVSS 3.1 base score of 9.8 (critical), reflecting its high impact on confidentiality, integrity, and availability, with no privileges or user interaction beyond the initial certificate exception required. Although no known exploits are currently reported in the wild, the severity and ease of exploitation through social engineering make it a significant threat. No patches were listed at the time of reporting, so organizations must monitor Mozilla advisories closely.

For European organizations, this vulnerability poses a severe risk to secure authentication processes that rely on WebAuthn via Firefox or Thunderbird. Exploitation could lead to unauthorized access to sensitive systems and data by bypassing the cryptographic assurances normally provided by TLS and WebAuthn. This undermines trust in multi-factor authentication mechanisms, potentially enabling credential theft, session hijacking, or fraudulent transactions. Critical sectors such as finance, government, healthcare, and telecommunications, which often mandate strong authentication, could face data breaches, regulatory non-compliance, and operational disruptions. The vulnerability's exploitation could also facilitate lateral movement within networks if attackers gain initial footholds through compromised credentials. Given the widespread use of Firefox in Europe and Thunderbird for email, the attack surface is substantial. The lack of known exploits currently provides a window for proactive mitigation, but the high CVSS score underscores the urgency of addressing this issue.

European organizations should implement the following specific mitigations: 1) Immediately monitor Mozilla security advisories and apply updates to Firefox and Thunderbird version 140 or later as soon as patches become available. 2) Enforce strict policies to minimize or prohibit users from accepting invalid TLS certificate exceptions, including user education on the risks of bypassing certificate warnings. 3) Deploy network-level TLS inspection and certificate validation tools to detect and block invalid or suspicious certificates before reaching end users. 4) Utilize endpoint security solutions that can monitor and alert on unusual WebAuthn challenge activities or suspicious browser behaviors. 5) Encourage the use of hardware security keys or secure enclave-based authenticators that provide additional layers of protection against credential interception. 6) Conduct phishing awareness training focused on social engineering tactics that might trick users into accepting invalid certificates. 7) Where feasible, restrict WebAuthn usage to trusted domains and implement Content Security Policy (CSP) headers to limit exposure to malicious web content. These measures collectively reduce the risk of exploitation while patches are deployed.