CVE-2025-27809

EPSS 0.04%
Published 25.03.2025 00:00:00
Last modified 17.07.2025 15:57:21
Source cve@mitre.org
Teams watchlist Login
Open Login

Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

Affected products Warnungen 0 Metrics 2 CWE 1 References 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Arm ≫ Mbed Tls Version < 2.28.10

Arm ≫ Mbed Tls Version >= 3.0.0 < 3.6.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.04%	0.084

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
cve@mitre.org	5.4	2.2	2.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

https://github.com/Mbed-TLS/mbedtls/releases

Release Notes

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/

Third Party Advisory

https://github.com/Mbed-TLS/mbedtls/issues/466

Issue Tracking

https://mastodon.social/@bagder/114219540623402700

Not Applicable

https://nvd.nist.gov/vuln/detail/CVE-2025-27809

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-27809

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27809

EUVD