CVE-2025-68161

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N

Name of the Vulnerable Software and Affected Versions Apache Log4j Core versions 2.0-beta9 through 2.25.2

Description The Socket Appender in Apache Log4j Core does not verify the hostname of the peer certificate during TLS connections, even when configured to do so. This could allow a man-in-the-middle attacker to intercept or redirect log traffic if they can present a valid certificate trusted by the system. The attacker needs to be able to intercept network traffic between the client and the log receiver and possess a certificate issued by a trusted certification authority.

Recommendations Upgrade to Apache Log4j Core version 2.25.3. As an alternative, configure the Socket Appender to use a private or restricted trust root to limit the set of trusted certificates.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-297CWE-295

Related Identifiers

BDU:2026-00009

CLEANSTART-2026-CF62516

CLEANSTART-2026-DC73689

CLEANSTART-2026-EZ90321

CLEANSTART-2026-GE08280

CLEANSTART-2026-GM79879

CLEANSTART-2026-GQ14179

CLEANSTART-2026-IA43044

CLEANSTART-2026-JU62349

CLEANSTART-2026-JW30455

CLEANSTART-2026-MM00120

CLEANSTART-2026-SQ91016

CLEANSTART-2026-SV95049

CLEANSTART-2026-WG59699

CLEANSTART-2026-WK99982

CVE-2025-68161

GHSA-VC5P-V9HR-52MJ

OPENSUSE-SU-2026:10009-1

OPENSUSE-SU-2026:20099-1

SUSE-SU-2026:0254-1

Affected Products

Apache Log4J Core

Debian

Red Os

CVE-2025-68161

Weakness Enumeration

Related Identifiers

Affected Products

References · 294