TrustAsia Revokes 143 Certificates After LiteSSL ACME Authorization Reuse Flaw

Related

AirDrop and Quick Share Flaws Allow Attackers to Crash Nearby Devices

What happened Security researchers disclosed multiple vulnerabilities affecting Apple AirDrop...

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

What happened Threat actors are exploiting a critical Langflow vulnerability...

BlueHammer Microsoft Defender Flaw Exploited in Ransomware Attacks

What happened CISA updated its Known Exploited Vulnerabilities catalog to...

Critical Dell Wyse Vulnerabilities Enable Remote Code Execution

What happened Dell Technologies released a critical security advisory for...

Insurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack

What happened The National Association of Insurance Commissioners confirmed it...

Share

What happened

TrustAsia revoked 143 certificates following LiteSSL ACME service vulnerability after discovering a logic error that allowed improper reuse of domain validation data across different ACME accounts. The report said TrustAsia suspended issuance services and revoked 143 SSL/TLS certificates issued via ACME after December 29, 2025, and referenced tracking under Mozilla Bugzilla ticket #2011713 following a community report received January 21, 2026. The stated root cause involved how the LiteSSL ACME service handled Authorization objects, enabling authorization reuse in a way that bypassed the requirement for unique validation per account context. TrustAsia stated its architecture maintains a one-to-one mapping between ACME accounts and EABs, and said affected certificates were revoked and the service was patched and restored. The report also noted ACME authorizations in production were reset to a revoked status to prevent reuse.

Who is affected

Organizations that obtained certificates from TrustAsia via LiteSSL ACME after December 29, 2025 are directly affected due to certificate revocation and potential service disruption. Indirectly affected parties include customers and users of impacted websites or services if revoked certificates are not replaced promptly.

Why CISOs should care

Certificate revocations can create sudden outages, break TLS-dependent integrations, and increase incident workload across distributed systems. Authorization reuse flaws also raise trust and compliance concerns because validation boundaries are foundational to PKI security and can undermine assurance if misapplied.

3 practical actions

  • Identify and replace revoked certificates: Inventory certificates issued by TrustAsia via ACME in the affected window and rotate any revoked/impacted certs immediately. 
  • Improve certificate lifecycle monitoring: Ensure revocation checking, expiry alerts, and automated reissuance workflows are operational across all internet-facing services. 
  • Reassess CA and ACME risk controls: Validate CA vendor governance, audit expectations, and ACME account segmentation to reduce systemic PKI exposure.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.