Apache Log4j up to 2.25.2 Socket Appender certificate host validation

Summaryinfo

A vulnerability identified as critical has been detected in Apache Log4j up to 2.25.2. Affected by this issue is some unknown functionality of the component Socket Appender. Performing a manipulation results in certificate host validation. This vulnerability is reported as CVE-2025-68161. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic has been found in Apache Log4j up to 2.25.2. This affects some unknown functionality of the component Socket Appender. The manipulation with an unknown input leads to a certificate host validation vulnerability. CWE is classifying the issue as CWE-297. The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host. This is going to have an impact on integrity. The summary by CVE is:

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

The weakness was disclosed by Samuli Leinonen. The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2025-68161 since 12/16/2025. The exploitability is told to be difficult. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 03/19/2026). MITRE ATT&CK project uses the attack technique T1587.003 for this issue.

The vulnerability scanner Nessus provides a plugin with the ID 279430 (Linux Distros Unpatched Vulnerability : CVE-2025-68161), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 2.25.3 eliminates this vulnerability.

The vulnerability is also documented in the databases at Tenable (279430), EUVD (EUVD-2025-204312) and CERT Bund (WID-SEC-2025-2897). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Affected

• Debian Linux
• SUSE Linux
• SUSE openSUSE
• IBM Sterling Connect:Direct
• Apache log4j
• IBM App Connect Enterprise

Productinfo

Vendor

• Apache

Name

• Log4j

Version

• 2.25.0
• 2.25.1
• 2.25.2

License

• open-source

Website

• Vendor: https://www.apache.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion