CVE-2025-27809 MEDIUM

CVE-2025-27809

Vendor Mbed
Product mbedtls
Weakness CWE-1188
Published March 25, 2025
Last update March 25, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

Key dates

02Disclosure timeline

March 25, 2025 CVE published
March 25, 2025 Record updated