Search

TrustAsia Revokes 143 Certificates After LiteSSL ACME Authorization Reuse Flaw

Cyber threats and incidents
By Evan Rowe
Credit: TrustAsia LinkedIn

Related

Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in Australian Financial Services

Australia’s financial services sector sits at the epicenter of...
Read more
AI and security

Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models

What happened Microsoft has developed a lightweight scanner designed to...
Read more
Cyber threats and incidents

EDR-Killer Malware Abuse via SonicWall SSLVPN Exploit Chain

What happened Security researchers have detailed a malware campaign in...
Read more
Cyber threats and incidents

Cisco Meeting Management Vulnerability Lets Remote Attackers Upload Arbitrary Files

What happened A high-severity vulnerability in Cisco Meeting Management was...
Read more
Cyber threats and incidents

Zendesk Spam Wave Returns, Floods Users With ‘Activate Account’ Emails

What happened A new wave of spam emails leveraging Zendesk...
Read more

Share

What happened

TrustAsia revoked 143 certificates following LiteSSL ACME service vulnerability after discovering a logic error that allowed improper reuse of domain validation data across different ACME accounts. The report said TrustAsia suspended issuance services and revoked 143 SSL/TLS certificates issued via ACME after December 29, 2025, and referenced tracking under Mozilla Bugzilla ticket #2011713 following a community report received January 21, 2026. The stated root cause involved how the LiteSSL ACME service handled Authorization objects, enabling authorization reuse in a way that bypassed the requirement for unique validation per account context. TrustAsia stated its architecture maintains a one-to-one mapping between ACME accounts and EABs, and said affected certificates were revoked and the service was patched and restored. The report also noted ACME authorizations in production were reset to a revoked status to prevent reuse.

Who is affected

Organizations that obtained certificates from TrustAsia via LiteSSL ACME after December 29, 2025 are directly affected due to certificate revocation and potential service disruption. Indirectly affected parties include customers and users of impacted websites or services if revoked certificates are not replaced promptly.

Why CISOs should care

Certificate revocations can create sudden outages, break TLS-dependent integrations, and increase incident workload across distributed systems. Authorization reuse flaws also raise trust and compliance concerns because validation boundaries are foundational to PKI security and can undermine assurance if misapplied.

3 practical actions

  • Identify and replace revoked certificates: Inventory certificates issued by TrustAsia via ACME in the affected window and rotate any revoked/impacted certs immediately. 
  • Improve certificate lifecycle monitoring: Ensure revocation checking, expiry alerts, and automated reissuance workflows are operational across all internet-facing services. 
  • Reassess CA and ACME risk controls: Validate CA vendor governance, audit expectations, and ACME account segmentation to reduce systemic PKI exposure.
Previous article
CVE-2026-23594 Enables Remote Privilege Escalation to Admin on HPE Alletra and Nimble Storage
Next article
GenAI-Powered Web Attacks Dynamically Generate Malicious JavaScript in Victims’ Browsers
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in Australian Financial Services

Australia’s financial services sector sits at the epicenter of...
AI and security

Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models

What happened Microsoft has developed a lightweight scanner designed to...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.