CVE-2025-15346
Unknown Unknown - Not Provided
Mutual TLS Bypass in wolfssl-py Due to Auth Misconfiguration

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: wolfSSL Inc.

Description
A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced.Β  Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided.Β  This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake.Β  The issue affects versions up to and including 5.8.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15346
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl-py to 5.8.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the wolfssl Python package (wolfssl-py) occurs because when the SSL verification mode is set to CERT_REQUIRED, the necessary flag (WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) was not set. As a result, the server treated the mode like CERT_OPTIONAL, meaning it would verify a client certificate if presented but would still allow connections without one. This flaw allows attackers to bypass mutual TLS (mTLS) client authentication by omitting the client certificate during the TLS handshake, leading to improper authentication. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to bypass mutual TLS (mTLS) client authentication. Because the server does not enforce the requirement for a client certificate, unauthorized clients can connect without providing a certificate, potentially gaining access to systems or data that should be protected by strict client authentication. [1, 2]

Detection Guidance

To detect this vulnerability, monitor TLS handshake logs for connections where client certificates are expected but not presented or verified. Specifically, check if connections are accepted without client certificates when verify_mode is set to CERT_REQUIRED. You can use packet capture tools like tcpdump or Wireshark to inspect TLS handshakes and verify if client certificates are being sent. Additionally, reviewing server logs or enabling debug logging in wolfssl-py to confirm whether the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag is set can help detect improper enforcement. There are no specific commands provided in the resources. [1, 3]

Mitigation Strategies

The immediate mitigation is to upgrade the wolfssl-py package to version 5.8.4 or later, where the vulnerability is fixed by properly setting the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag when verify_mode is CERT_REQUIRED. This ensures strict client certificate verification and prevents connections without valid client certificates. If upgrading is not immediately possible, review and modify your SSL/TLS configuration to enforce client certificate verification strictly, ensuring that connections without client certificates are rejected. [2, 3]

Compliance Impact

This vulnerability allows attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake, resulting in improper authentication. Such a flaw can undermine the security controls required by common standards and regulations like GDPR and HIPAA, which mandate strong authentication and protection of sensitive data. Failure to enforce strict client certificate verification could lead to unauthorized access, potentially causing non-compliance with these regulations. The fix restores proper enforcement of client certificate requirements, thereby improving compliance posture. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart