Cyber Resilience

CVE-2025-68637

Critical

Published: 07 January 2026

Published
07 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0022 12.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-68637 is a critical-severity Improper Validation of Certificate with Host Mismatch (CWE-297) vulnerability in Apache Uniffle. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-17 (Public Key Infrastructure Certificates).

Deeper analysis

CVE-2025-68637 is a high-severity vulnerability in the Uniffle HTTP client, which is configured by default to trust all SSL certificates and disable hostname verification. This insecure setup exposes REST API communications between the Uniffle CLI/client and the Uniffle Coordinator service to man-in-the-middle (MITM) attacks. The issue affects all versions prior to 0.10.0 and is classified under CWE-297 (Improper Validation of Certificate with Host Mismatch), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Attackers with network access to the communication path can exploit this vulnerability without privileges or user interaction. By performing an MITM attack, they can intercept, read, and modify sensitive data in transit, achieving high impacts on confidentiality and integrity, though availability remains unaffected.

Advisories recommend upgrading to Uniffle version 0.10.0, which addresses the issue by correcting the SSL configuration. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2v and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2025/12/27/2.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks. This…

more

issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Insecure default SSL/TLS config (trust-all certs, no hostname verification) directly enables MITM interception/modification of API traffic (T1557).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41603Same vendor: Apache
CVE-2026-40542Same vendor: Apache
CVE-2026-45361Same vendor: Apache
CVE-2026-24281Same vendor: Apache
CVE-2026-26214Shared CWE-297
CVE-2026-24734Same vendor: Apache
CVE-2026-31923Same vendor: Apache
CVE-2025-2190Shared CWE-297
CVE-2026-27314Same vendor: Apache
CVE-2025-62188Same vendor: Apache

Affected Assets

apache
uniffle
≤ 0.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographic protection for transmission confidentiality and integrity, directly preventing MITM attacks by mandating proper TLS implementation with certificate validation.

prevent

Mandates secure configuration settings for IT products, directly addressing the default insecure SSL configuration that trusts all certificates and disables hostname verification in Uniffle HTTP client.

prevent

Establishes requirements for PKI certificate management and validation, mitigating improper certificate trust and host mismatch exploited in this CVE's MITM vulnerability.

References