CVE-2025-12543

Published Jan 7, 2026

Last updated a month ago

CVSS critical 9.6
Undertow
WildFly
JBoss EAP

Overview

Description
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
Source
secalert@redhat.com
NVD status
Modified
Products
build_of_apache_camel, data_grid, fuse, jboss_enterprise_application_platform, jboss_enterprise_application_platform_expansion_pack, process_automation, single_sign-on, undertow

Risk scores

CVSS 3.1

Type
Primary
Base score
9.6
Impact score
6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

secalert@redhat.com
CWE-20

Social media

Hype score
Not currently trending

  1. HPE Telco Service Activator の脆弱性 CVE-2025-12543 が FIX:リモートアクセス制限回避の恐れ https://t.co/jzPdNDcxvf 通信事業者のネットワーク自動化を支える中核システム HPE Telco Service Activatorに、未認証のリモート攻撃者

    @iototsecnews

    2 Mar 2026

    240 Impressions

    2 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️ Vulnerabilidad en productos HPE ❗ CVE-2025-12543 ➡️ Más info: https://t.co/2KQdYCLUFS https://t.co/wnrrXnVPHb

    @CERTpy

    25 Feb 2026

    95 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. [CRITICAL] Critical Flaw in HPE Telco Service Activator Exposed CVE-2025-12543 allows remote access control bypass; HPE urges updates. CVE: CVE-2025-12543 … https://t.co/tUOR2W8DOw

    @MysocAi

    25 Feb 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [HIGH] CVE-2025-12543 in HPE Telco Service Activator HPE discovers critical vulnerability in Telco Service Activator affecting access controls. CVE: CVE-20… https://t.co/tUOR2W8DOw

    @MysocAi

    24 Feb 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. [HIGH] Critical Vulnerability in HPE Telco Service Activator CVE-2025-12543 in HPE Telco Service Activator allows remote access control bypass; patch available. CVE: CVE-2025-12543 • APT: N/A • Status: ACTIVE Una… https://t.co/UDnQDYQasT

    @MysocAi

    24 Feb 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. [HIGH] HPE Telco Service Activator Vulnerability CVE-2025-12543 allows remote access control bypass in HPE Telco Service Activator. CVE: CVE-2025-12543 • A… https://t.co/tUOR2W8DOw

    @MysocAi

    24 Feb 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. [HIGH] CVE-2025-12543 in HPE Telco Service Activator Allows Remote Access Critical flaw in HPE Telco Service Activator enables unauthorized remote acces… https://t.co/U4T1PjCeXk

    @MysocAi

    24 Feb 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨 Critical HPE Telco Service Activator Bug Lets Attackers Bypass Access Controls via Host-Header Abuse (CVE-2025-12543) HPE disclosed CVE-2025-12543 (CVSS 9.6) in Telco Service Activator where Undertow fails to properly validate the HTTP Host header, enabling remote access

    @ThreatSynop

    24 Feb 2026

    57 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. [CRITICAL] CVE-2025-12543: Critical Flaw in HPE Telco Service Activator HPE discovers CVE-2025-12543, a critical flaw allowing remote access control byp… https://t.co/U4T1PjCeXk

    @MysocAi

    24 Feb 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. [CRITICAL] Critical Vulnerability in HPE Telco Service Activator Discovered HPE identifies CVE-2025-12543, a critical flaw allowing remote access contro… https://t.co/U4T1PjCeXk

    @MysocAi

    24 Feb 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. [HIGH] CISA Issues Emergency Patches for Critical Vulnerabilities CISA releases patches for critical flaws in multiple platforms. CVE: CVE-2026-1731, CVE-2025-12543 • APT: Unknown • Status: ACTIVE Urgent action needed t… https://t.co/J2iNIRDDMh

    @MysocAi

    24 Feb 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 🔶 [HIGH] CISA Warns of Active Exploitation of HPE Telco Service Activator Flaw CISA issues warning … 🔴 CVE: CVE-2025-12543 🕵️ APT: Unknown ⚡ Status: ACTIVE 🎯 MITRE: Initial Access, Exploitation for Privilege Escalation ⚔️ Requires immediate patching to prev

    @MysocAi

    24 Feb 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🚨 Critical HPE Telco Service Activator Flaw (CVE-2025-12543) Lets Attackers Bypass Host-Based Access Controls HPE warns a critical improper Host-header validation bug in the Undertow HTTP core used by Telco Service Activator can let remote attackers bypass access restrictions

    @ThreatSynop

    23 Feb 2026

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 通信事業者のサービス開通を担うHPE Service Activatorに深刻な脆弱性(CVE-2025-12543)が見つかった。CVSS9.6の高危険度で、内部ネットワーク侵害の恐れがある。 原因は内部で使用されるUndertow

    @yousukezan

    23 Feb 2026

    3478 Impressions

    2 Retweets

    21 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  15. Critical Undertow HTTP server flaw CVE-2025-12543 (CVSS 9.6) impacts HPE Telco Service Activator, allowing cache poisoning and session hijacking. Patch now. #HPESA #CVE202512543 #CyberSecurity #TelecomSecurity #Undertow #CachePoisoning #InfoSec https://t.co/jUoi3Bzl6u

    @the_yellow_fall

    23 Feb 2026

    151 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  16. #VulnerabilityReport #CachePoisoning The 9.6 Crack in Java’s Foundation: Critical Undertow Flaw CVE-2025-12543 https://t.co/FqqAdHAsDg

    @Komodosec

    13 Feb 2026

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. https://t.co/MRPSLkLbYA CVE-2025-12543: Host Header Validation Bypass in Undertow

    @BentleyAudrey

    23 Jan 2026

    438 Impressions

    3 Retweets

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  18. Java、Undertow HTTPサーバにおけるHostヘッダ検証不備の脆弱性(CVE-2025-12543) https://t.co/VrREFdhTJ3 #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    13 Jan 2026

    148 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  19. CVE-2025-12543: The Undertow Hijack Flaw Threatening WildFly and JBoss Infrastructure Read the full report on - https://t.co/wuxlNWYTEU https://t.co/6E607TgzOA

    @cyberbivash

    10 Jan 2026

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Undertow HTTP server core (io.undertow:undertow-core) has a #CRITICAL vulnerability, CVE-2025-12543, due to improper Host header validation. #WebSecurity #Vulnerability https://t.co/6RiSLa4J7t

    @pulsepatchio

    9 Jan 2026

    76 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Undertow HTTP server has a critical Host header validation flaw (CVE-2025-12543). Impacts #Java applications like WildFly/JBoss EAP. Requires attention to prevent malformed request processing. #infosec #vulnerability https://t.co/uDxQQ5BVUx

    @pulsepatchio

    9 Jan 2026

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. A critical host header validation flaw affects the Undertow HTTP server (CVE-2025-12543). Improper header handling may lead to security bypasses. Implement input validation. #Undertow #HTTPsecurity #CVE https://t.co/6RiSLa4J7t

    @pulsepatchio

    9 Jan 2026

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. 🚨 Critical Undertow Host-Header Bug (CVE-2025-12543) Enables Session Hijack & Cache Poisoning A critical Undertow core flaw (CVSS 9.6) fails to properly validate HTTP Host headers, letting remote attackers trigger cache poisoning, internal network scanning, and session hij

    @ThreatSynop

    9 Jan 2026

    65 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  24. 🚨 Critical Undertow Host-Header Flaw (CVE-2025-12543) Enables Session Hijack & Cache Poisoning in Java Apps A critical Undertow issue caused by improper validation of HTTP Host headers can be exploited remotely (no auth) to enable session hijacking, cache poisoning, and in

    @ThreatSynop

    9 Jan 2026

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. [CVE-2025-12543: CRITICAL] Critical security flaw in Undertow HTTP server core used in WildFly & JBoss EAP allows attackers to poison caches, perform network scans, or hijack user sessions. #cybersecurity#cve,CVE-2025-12543,#cybersecurity https://t.co/zmLmQ76XTo https://t.co/

    @CveFindCom

    7 Jan 2026

    89 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. 🔴 CVE-2025-12543 - Critical A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in inc... https://t.co/DSyYdb9594 https://t.co/pqwdSgc96L

    @TheHackerWire

    7 Jan 2026

    74 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. CVE-2025-12543 A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate t… https://t.co/gTQo3U4Y59

    @CVEnew

    7 Jan 2026

    127 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.CVE-2026-28369
  2. A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.CVE-2026-28368
  3. A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.CVE-2026-28367
  4. A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.CVE-2026-3121
  5. A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.CVE-2026-4874

References

Sources include official advisories and independent security research.