Researchers at TII, in cooperation with the University Paderborn (Germany) and Ruhr University Bochum (Germany) have uncovered a significant vulnerability in the way secure communications are handled across widely used internet protocols.
Through their latest study, the team identified a flaw in the integration of Transport Layer Security (TLS) - the protocol that underpins secure communications - which exposes a broad class of applications to what has now been termed the Opossum Attack. This discovery builds on the foundations of earlier research (such as the ALPACA attack) but reveals that even existing countermeasures are not sufficient when protocols support both implicit and opportunistic TLS simultaneously.
In practice, this vulnerability introduces a risk of desynchronization between client and server communications, opening the door to exploits in HTTP(S), while breaking formal security guarantees in other protocols such as FTP(S), POP3(S), and SMTP(S). The research team was able to demonstrate realistic attack scenarios including session fixation, content confusion, and XSS amplification - all critical threats in modern digital environments.
Extensive internet-wide scans revealed that over 2.9 million servers are potentially affected - including more than 1.4 million IMAP servers, 1.1 million POP3 servers, and 2,268 vulnerable HTTP servers. Especially for HTTP, concrete exploits could be demonstrated. While these numbers remain modest in the context of global infrastructure, the nature of the vulnerability - stemming from the protocol standard itself - makes it particularly noteworthy.
The work reflects TII’s mission to pioneer advanced research that informs both secure systems and the standards that govern them. While the number of actively exploitable systems remains small, the implications are far-reaching, especially in embedded and legacy contexts. In response to the vulnerability, Apache2 deprecated opportunistic HTTP and is tracking the vulnerability under CVE-2025-49812 and Cyrus IMAPd disabled opportunistic TLS by default.
To learn more about TII’s work at the forefront of international cybersecurity and the Opossum Attack, visit its website - opossum-attack.com
