Is CVE-2025-68161 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 1%.

What products does CVE-2025-68161 affect?

Tracked products affected include Apache Log4j. Check the version you run to see whether it is affected.

How do I fix CVE-2025-68161?

Apply the vendor fix in your normal patch cycle. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2025-68161

Q: What is CVE-2025-68161?

CVE-2025-68161 is a medium-severity software vulnerability (CWE-297) with a CVSS score of 4.8. The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#

MEDIUM severity · CVSS 4.8 · CWE-297

4.8CVSS MEDIUM

Summary

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredNone

User interactionNone

Confidentiality impactLow

Integrity impactLow

Availability impactNone

Exploit probability (EPSS)1%

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products we track (1)

Apache Log4j

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Official patch: https://github.com/apache/logging-log4j2/pull/4002 ↗

CVE-2025-68161

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information