CVE-2025-66614 is a security vulnerability classified under CWE-20 (Improper Input Validation) affecting multiple versions of Apache Tomcat, specifically from 8.5.0 through 11.0.14. The root cause lies in Tomcat's failure to validate that the hostname provided in the TLS Server Name Indication (SNI) extension matches the hostname specified in the HTTP Host header. In environments where Tomcat is configured with multiple virtual hosts, some requiring client certificate authentication at the TLS Connector level and others not, this mismatch can be exploited. An attacker can send a TLS ClientHello with an SNI hostname that corresponds to a virtual host without client certificate requirements, while the HTTP Host header references a virtual host that normally requires client certificates. Because Tomcat does not cross-verify these hostnames, it may allow the connection to bypass client certificate authentication checks, effectively granting unauthorized access. This vulnerability only applies when client certificate authentication is enforced at the Connector level; if enforced at the web application level, the vulnerability does not apply. There are no known exploits in the wild as of the publication date. The issue was addressed in Apache Tomcat versions 11.0.15, 10.1.50, and 9.0.113 and later, which implement proper hostname validation between SNI and HTTP Host headers. Organizations using affected Tomcat versions with multi-host TLS configurations and client certificate authentication should prioritize upgrading to these fixed versions to prevent potential unauthorized access.

For European organizations, the impact of CVE-2025-66614 can be significant, especially for those deploying Apache Tomcat in environments requiring strong client authentication, such as financial institutions, government agencies, and critical infrastructure providers. The vulnerability enables attackers to bypass client certificate authentication, potentially allowing unauthorized users to access sensitive applications or data protected by TLS client certificates. This undermines the confidentiality and integrity of communications and may lead to data breaches, unauthorized transactions, or lateral movement within networks. Organizations relying on multi-tenant or multi-virtual host Tomcat deployments are particularly at risk. The absence of known exploits reduces immediate risk, but the vulnerability's presence in widely used Tomcat versions means that attackers could develop exploits in the future. Given the critical role of client certificate authentication in securing access, this vulnerability could also impact compliance with European data protection regulations such as GDPR if unauthorized access leads to personal data exposure.

1. Upgrade Apache Tomcat to the fixed versions: 11.0.15 or later, 10.1.50 or later, or 9.0.113 or later. This is the primary and most effective mitigation. 2. Review and, if possible, enforce client certificate authentication at the web application level rather than solely at the Connector level, as this vulnerability does not apply in that scenario. 3. Audit TLS configurations to ensure that virtual hosts requiring client certificates are properly segregated and that SNI and HTTP Host headers are consistent. 4. Implement network-level controls to restrict access to sensitive virtual hosts and monitor for anomalous TLS handshake behaviors indicative of SNI/Host header mismatches. 5. Employ logging and alerting on TLS handshake failures or unusual client certificate authentication bypass attempts. 6. Conduct penetration testing and vulnerability scanning focused on TLS and client authentication mechanisms to detect potential exploitation attempts. 7. Educate system administrators and developers about the importance of consistent hostname validation in multi-host TLS environments.