CVE-2025-27809
low-risk
Published 2025-03-25
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
Do I need to act?
-
0.08% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10
Medium
NETWORK
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (4)
Release Notes
https://github.com/Mbed-TLS/mbedtls/releases
Third Party Advisory
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-a...
Issue Tracking
https://github.com/Mbed-TLS/mbedtls/issues/466
Not Applicable
https://mastodon.social/@bagder/114219540623402700
22
/ 100
low-risk
Severity
17/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal