Cyber Resilience

CVE-2025-66614

Critical

Published: 17 February 2026

Published
17 February 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0024 14.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-66614 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Apache Tomcat. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-66614 is an Improper Input Validation vulnerability (CWE-20, CWE-295) in Apache Tomcat. It affects versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.49, and 9.0.0-M1 through 9.0.112. Additionally, end-of-life versions 8.5.0 through 8.5.100 are known to be vulnerable, while older EOL versions are not. The issue stems from Tomcat not validating that the hostname provided via the TLS SNI extension matches the hostname in the HTTP Host header field.

An attacker can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required (CVSS 9.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). It applies only when Tomcat is configured with multiple virtual hosts, client certificate authentication is enforced at the Connector level for one host but not another, and authentication is not enforced at the web application level. By sending mismatched hostnames in the SNI extension and HTTP Host header, an attacker can bypass client certificate authentication on the protected virtual host, potentially gaining unauthorized access.

The Apache advisory recommends upgrading to Tomcat 11.0.15 or later, 10.1.50 or later, or 9.0.113 or later, which address the issue. Further details are available in the official announcement at https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0…

more

through 8.5.100. Older EOL versions are not affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field. The vulnerability only applies if client certificate authentication is only enforced at the Connector. It does not apply if client certificate authentication is enforced at the web application. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote auth bypass on public-facing Tomcat virtual hosts via SNI/Host header mismatch enables exploitation of the web application for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41293Same product: Apache Tomcat
CVE-2025-55754Same product: Apache Tomcat
CVE-2026-34483Same product: Apache Tomcat
CVE-2026-43512Same product: Apache Tomcat
CVE-2026-42498Same product: Apache Tomcat
CVE-2026-29146Same product: Apache Tomcat
CVE-2026-34486Same product: Apache Tomcat
CVE-2026-24880Same product: Apache Tomcat
CVE-2026-29129Same product: Apache Tomcat
CVE-2026-29145Same product: Apache Tomcat

Affected Assets

apache
tomcat
10.1.0, 11.0.0, 9.0.0 · 9.0.1 — 9.0.113 · 10.1.1 — 10.1.50 · 11.0.1 — 11.0.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of SNI hostname inputs against HTTP Host header to prevent client certificate authentication bypass in multi-virtual host configurations.

prevent

Mandates timely patching of the Tomcat flaw that fails to validate hostname consistency, as recommended by the vendor advisory.

prevent

Enforces access control policies at the application layer or through validated inputs to mitigate connector-level authentication bypasses.

References