Plateforme
dotnet
Composant
akka.remote
Corrigé dans
1.2.1
1.5.52
CVE-2025-61778 is a critical network security vulnerability affecting Akka.Remote versions up to 1.5.9. This flaw allows attackers to bypass certificate-based authentication when using TLS, potentially leading to unauthorized access and control over the network. A fix is available in version 1.5.52, and users are strongly advised to upgrade immediately.
The core of this vulnerability lies in Akka.Remote's handling of TLS connections. While the server-side correctly validates client certificates, the outbound-connecting client is not required to present its own certificate. This means an attacker can establish a TLS-encrypted connection without proper authentication, effectively impersonating a legitimate peer. The impact is severe: an attacker could join the Akka.Remote network, intercept messages, inject malicious commands, and potentially compromise the entire system. This is particularly concerning in environments where Akka.Remote is used for critical inter-service communication, as it could lead to cascading failures and data breaches. The vulnerability's reliance on SSL/TLS means it's most impactful in environments where this encryption is actively used, which is common for securing sensitive data in transit.
This vulnerability was publicly disclosed on 2025-10-07. There is currently no indication of active exploitation in the wild, but the critical severity and ease of exploitation (requiring only a TLS connection) suggest it could become a target. The vulnerability's impact is amplified by its network-based nature, making it potentially exploitable from external sources. It is not currently listed on CISA KEV, but its severity warrants monitoring.
Organizations heavily reliant on Akka.Remote for inter-service communication, particularly those using SSL/TLS for securing these connections, are at significant risk. Environments with legacy Akka.Remote deployments or those with limited resources for immediate patching are also particularly vulnerable. Shared hosting environments utilizing Akka.Remote should be assessed for potential exposure.
• .NET / Akka.Remote:
Get-Process | Where-Object {$_.ProcessName -match 'akka-remote'} | Select-Object -ExpandProperty Id• .NET / Akka.Remote:
Get-WinEvent -LogName Application -FilterXPath '//Event[System[Provider[@Name='Akka.Remote']]]'• .NET / Akka.Remote: Check registry keys related to Akka.Remote configuration for TLS settings and certificate paths. • .NET / Akka.Remote: Monitor application logs for unusual connection attempts or authentication failures.
disclosure
Statut de l'Exploit
EPSS
0.09% (percentile 25%)
CISA SSVC
The primary mitigation is to upgrade Akka.Remote to version 1.5.52 or later, which includes the fix for this authentication bypass. If upgrading immediately is not possible, consider temporarily disabling TLS authentication on Akka.Remote connections. While this reduces security, it prevents the bypass vulnerability from being exploited. Alternatively, implement a WAF or proxy that enforces certificate validation on both inbound and outbound connections, effectively compensating for the missing client certificate requirement in Akka.Remote. Carefully review Akka.Remote configuration to ensure TLS is enabled and properly configured, and monitor logs for any suspicious connection attempts.
Actualice Akka.NET a la versión 1.5.52 o posterior. Esta versión corrige la vulnerabilidad al implementar mutual TLS (mTLS) de forma predeterminada, requiriendo que ambas partes tengan la misma clave privada. Si no puede actualizar inmediatamente, evite exponer la aplicación públicamente como medida temporal.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-61778 is a critical vulnerability in Akka.Remote versions ≤1.5.9 that allows attackers to bypass certificate-based authentication over TLS, potentially gaining unauthorized network access.
If you are using Akka.Remote versions 1.2.0 through 1.5.9 and have SSL/TLS enabled, you are likely affected by this vulnerability. Upgrade to 1.5.52 or later to mitigate the risk.
The recommended fix is to upgrade Akka.Remote to version 1.5.52 or later. If immediate upgrade is not possible, consider temporarily disabling TLS authentication or implementing a compensating control like a WAF.
There is currently no confirmed evidence of active exploitation, but the vulnerability's severity and ease of exploitation suggest it could become a target.
Refer to the official Akka.Remote project website and related security advisories for the most up-to-date information and guidance regarding CVE-2025-61778.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier packages.lock.json et nous te dirons instantanément si tu es affecté.