CVE-2025-23419 is an authentication bypass vulnerability in NGINX affecting deployments where multiple server blocks share the same IP address and port. In this configuration, an attacker can abuse TLS session resumption to bypass client certificate authentication requirements on one or more of the virtual servers. The issue arises when the default server on the shared listener uses TLS Session Tickets and/or the SSL session cache while performing client certificate authentication. Under those conditions, a resumed TLS session can be accepted across server blocks in a way that weakens or bypasses intended mTLS enforcement.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository is a small proof-of-concept exploit/tester consisting of one Python script and a README. The main file, CVE-2025-23419.py, implements a custom requests HTTPAdapter that creates a permissive TLS context: hostname verification is disabled, certificate validation is disabled, and an optional client certificate/key pair is loaded into the TLS context. The exploit logic uses a single requests.Session, mounts the custom adapter for HTTPS, performs an initial GET request to an authenticated server name (auth_sni) with the client certificate, and then performs a second GET request to a different server name (noauth_sni) using the same session. The intended purpose is to test whether a server or reverse proxy improperly reuses TLS session state across virtual hosts or SNI contexts, potentially allowing authentication bypass. Repository structure is minimal: README.md explains the intended TLS session reuse/authentication bypass scenario and lists Python dependencies; CVE-2025-23419.py is the only executable component and serves as the entry point. The script accepts CLI arguments for target, authenticated SNI, unauthenticated SNI, certificate path, key path, and optional port. Notably, the target_host argument is parsed but not actually used in URL construction; the requests are built from auth_server_name and noauth_server_name directly. The script does not contain a post-exploitation payload such as command execution or shell access. Its capability is limited to sending crafted HTTPS requests and printing status codes plus a truncated response body from the second request, making it a POC for validating a suspected TLS/session-handling flaw rather than a full weaponized exploit.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An nginx TLS session resumption bypass vulnerability reported by Shodan against the primary C2 host.
A vulnerability identified only by CVE ID in the content as a known vulnerability on the TMoscow Bot infrastructure; no further details are provided.
An nginx TLS session ticket reuse vulnerability listed by Shodan InternetDB for the host.
nginx TLS session ticket vulnerability listed by Shodan as affecting the observed infrastructure.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.