TrustAsia has revoked 143 SSL/TLS certificates following the invention of a vulnerability in its LiteSSL ACME service. The flaw allowed for the improper reuse of area validation information throughout totally different ACME accounts, prompting a right away suspension of issuance providers and a subsequent mass revocation of affected certificates.
The incident, tracked underneath Mozilla Bugzilla ticket #2011713, was triggered by a group report acquired on January 21, 2026. The vulnerability particularly impacted certificates issued through the ACME protocol after December 29, 2025.
Technical Root Trigger and Affect
The core concern stemmed from a logic error within the LiteSSL ACME service dealing with of Authorization objects. Investigations revealed that “Authorization information was reused throughout totally different ACME accounts,” successfully bypassing the requirement for distinctive validation per account context.
Whereas group hypothesis initially instructed the problem is perhaps associated to Exterior Account Binding (EAB) assignments within the database, TrustAsia clarified that their structure maintains a strict one-to-one mapping between ACME Accounts and EABs.
Incident Scope:
Complete Certificates Impacted: 143
Affected Protocol: ACME (Automated Certificates Administration Atmosphere)
Susceptible Interval: Issuance dates post-2025-12-29
Standing: All affected certificates have been revoked; the service is patched and on-line.
The next timeline outlines the response actions taken by TrustAsia on January 21, 2026 (Occasions in UTC+8).
TimeEvent Description14:55Compliance workforce acquired a report (through V2EX) concerning area validation reuse.15:10Preliminary affirmation of the problem; ACME issuance service suspended.15:30Impact scope confirmed; investigation into particular certificates started.15:33Revocation initiated for the 2 particular certificates talked about within the preliminary report.21:00Code repair accomplished and validated within the take a look at atmosphere.21:21Identification of all 143 affected certificates accomplished; batch revocation initiated.21:30Revocation accomplished for the 140 remaining legitimate certificates (3 have been beforehand revoked).21:41Patched code deployed to the manufacturing atmosphere.22:35Reset of all ACME Authorizations from VALID to REVOKED, forcing consumer re-validation.23:00External ACME issuance service absolutely restored.
This incident violates the CA/Browser Discussion board Baseline Necessities (TLS BR Model 2.2.2), particularly Part 3.2.2.4, which mandates that the Certificates Authority should validate every Absolutely-Certified Area Title (FQDN) previous to issuance.
TrustAsia has acknowledged {that a} Full Incident Report will probably be launched to the Mozilla Bugzilla thread, which can embody a extra detailed root trigger evaluation and the definitive begin date of the non-compliance.
All ACME Authorizations within the manufacturing atmosphere have been reset to REVOKED standing to forestall any lingering invalid authorizations from getting used for brand spanking new issuance.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
