Apache Log4j 2.0-beta9 < 2.25.3 MitM

🗓️ 09 Jan 2026 00:00:00Reported by TenableType

Log4j versions 2.0-beta9 to 2.25.2 disable hostname verification in Socket Appender, enabling MITM.

Reporter	Title	Published	Views	Family All 205
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities affects IBM Data Studio Client 4.2.2	19 May 202606:38	–	ibm
IBM Security Bulletins	Security Bulletin: There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.	21 May 202614:00	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling Control Center is affected by vulnerabilities in log4j-core (CVE-2025-68161)	5 Mar 202607:53	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities affects IBM License Metric Tool v9	26 Mar 202611:35	–	ibm
IBM Security Bulletins	Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Eclipse Jersey Race Condition (CVE-2025-68161)	27 Apr 202612:24	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM StreamSets Data Collector	9 Mar 202621:02	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in log4j-core-2.17.1.jar	5 May 202622:28	–	ibm
IBM Security Bulletins	Security Bulletin: InfoSphere Data Architect (IDA) is affected by Multiple Vulnerabilities.	24 Apr 202617:45	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in Apache Log4j Core shipped in Tivoli Netcool/OMNIbus	29 May 202612:15	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Guardium Key Lifecycle Manager (SKLM/GKLM)	6 May 202613:53	–	ibm

Source	Link
lists	www.lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(282519);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/17");

  script_cve_id("CVE-2025-68161");
  script_xref(name:"IAVA", value:"2026-A-0001");

  script_name(english:"Apache Log4j 2.0-beta9 < 2.25.3 MitM");

  script_set_attribute(attribute:"synopsis", value:
"A logging library installed on the remote host is affected by a man in the middle vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apache Log4j on the remote host is 2.0-beta9 through 2.25.2. The Socket Appender in Apache Log4j Core 
versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the 
verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName 
configuration attribute or the log4j2.sslVerifyHostName 
https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to 
true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following 
conditions:

  - The attacker is able to intercept or redirect network traffic between the client and the log receiver.
 
  - The attacker can present a server certificate issued by a certification authority trusted by the Socket
    Appenderâs configured trust store (or by the default Java trust store if no custom trust store is
    configured).

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Log4j version 2.25.3 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-68161");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/12/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:log4j");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_log4j_nix_installed.nbin", "apache_log4j_win_installed.nbin");
  script_require_keys("installed_sw/Apache Log4j");

  exit(0);
}

include('vcf.inc');

var app = 'Apache Log4j';

var app_info = vcf::get_app_info(app:app);

var constraints = [
  {'min_version':'2.0-beta9', 'fixed_version':'2.25.3'}
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_WARNING
);

17 Feb 2026 00:00Current

7.2High risk

Vulners AI Score7.2

CVSS 3.14.8

CVSS 46.3

EPSS0.00029

SSVC