CVE-2025-66614
Published: 17 February 2026
Summary
CVE-2025-66614 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Apache Tomcat. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of SNI hostname inputs against HTTP Host header to prevent client certificate authentication bypass in multi-virtual host configurations.
Mandates timely patching of the Tomcat flaw that fails to validate hostname consistency, as recommended by the vendor advisory.
Enforces access control policies at the application layer or through validated inputs to mitigate connector-level authentication bypasses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote auth bypass on public-facing Tomcat virtual hosts via SNI/Host header mismatch enables exploitation of the web application for unauthorized access.
NVD Description
Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0…
more
through 8.5.100. Older EOL versions are not affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field. The vulnerability only applies if client certificate authentication is only enforced at the Connector. It does not apply if client certificate authentication is enforced at the web application. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.
Deeper analysisAI
CVE-2025-66614 is an Improper Input Validation vulnerability (CWE-20, CWE-295) in Apache Tomcat. It affects versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.49, and 9.0.0-M1 through 9.0.112. Additionally, end-of-life versions 8.5.0 through 8.5.100 are known to be vulnerable, while older EOL versions are not. The issue stems from Tomcat not validating that the hostname provided via the TLS SNI extension matches the hostname in the HTTP Host header field.
An attacker can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required (CVSS 9.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). It applies only when Tomcat is configured with multiple virtual hosts, client certificate authentication is enforced at the Connector level for one host but not another, and authentication is not enforced at the web application level. By sending mismatched hostnames in the SNI extension and HTTP Host header, an attacker can bypass client certificate authentication on the protected virtual host, potentially gaining unauthorized access.
The Apache advisory recommends upgrading to Tomcat 11.0.15 or later, 10.1.50 or later, or 9.0.113 or later, which address the issue. Further details are available in the official announcement at https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7.
Details
- CWE(s)