Thank you for your feedback. We have acknowledged this issue and suspended the affected ACME certificate issuance service at 15:40 (UTC+8) on January 21, 2026.
We have identified the cause. The issue affects only the recently launched free ACME service (litessl.cn). We are currently identifying the impacted certificates and will complete the revocation within 24 hours. We will publish a incident report as soon as possible and will keep you informed of any key developments. On Wednesday, January 21, 2026 at 4:59:07 PM UTC+8 Roger M Lambdin wrote: > > I've noticed this CA has just been found to have a major vulnerability. > > A security researcher discovered the following issues with LiteSSL's ACME > server: > > According to his post [1]: > > 1. Flawed ACME IP throttling policy causes frequent certificate issuance > failures > > 2. DNS -01 challenge can be exploited to issue wildcard certificates for > arbitrary domains. > > The second issue is particularly severe. Reproduction steps: > > 1. Create a LiteSSL ACME account using your own domain and pass the DNS-01 > challenge to request a wildcard certificate > > 2. View the list of wildcard certificates issued by this CA and select any > one arbitrarily [2]. > > 3. Using your own ACME account, construct an ACME request to apply for a > wildcard certificate for the selected domain [3]. > > I recommend the following actions: > > 1. Based on this CA's certificate issuance list, we need to identify which > wildcard certificates have been issued [2]. > > 2. The CA must take action to fix the vulnerability in the ACME server. > > 3. The CA must submit an incident report. We need to know: When was the > DNS-01 challenge implemented? How did the vulnerability occur? When was the > earliest exploitation of this vulnerability? Which certificates were > erroneously issued? > > 4. Revoke the erroneously issued wildcard certificates and immediately > notify the owners of these domains. > > 5. Based on the certificate CA information, this company is a subordinate > CA of TrustAsia. We need to know: Does LiteSSL share infrastructure with > them? > > 6. This CA must conduct a thorough investigation of its security measures > and provide a report. > > [1] Original source: https://archive.ph/u6U2p > > [2] Certificate list: https://crt.sh/?CN=%25&iCAID=438132 > > [3] Certificate issued by the researcher: https://crt.sh/?q=vaadd.com > > > > > > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7d5340e8-ac38-477b-90b2-fd9938c37c62n%40mozilla.org.
