A high-severity vulnerability has been discovered in multiple "When" products, identified as CVE-2025-11695. This flaw causes the software to incorrectly disable security checks when a connection string is configured for a secure connection, paradoxically making it insecure. Successful exploitation could allow a network attacker to intercept, view, and modify sensitive data, leading to a significant data breach.

This vulnerability is a logical flaw in the TLS implementation of the affected products. When a connection string contains the parameter tlsInsecure=False, which is intended to enforce strict TLS certificate validation, the software incorrectly processes this flag and disables certificate validation entirely. An attacker with the ability to perform a Man-in-the-Middle (MitM) attack can intercept the connection and present a self-signed or otherwise invalid TLS certificate. The vulnerable application will fail to validate this certificate and proceed with the connection, allowing the attacker to decrypt and manipulate all traffic between the client and the legitimate server.

This vulnerability is rated as High severity with a CVSS score of 8. Exploitation can have severe consequences for the organization, primarily through the compromise of data confidentiality and integrity. An attacker could intercept sensitive information such as user credentials, personal identifiable information (PII), financial data, or proprietary business secrets transmitted over the network. This could lead to significant financial loss, severe reputational damage, loss of customer trust, and potential regulatory fines for non-compliance with data protection standards.

Immediate Action: The primary remediation is to apply the security updates released by the vendor immediately. Prioritize patching for internet-facing and business-critical systems. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing application and network access logs for anomalous connection patterns.

Proactive Monitoring: Configure network monitoring tools and Security Information and Event Management (SIEM) systems to alert on TLS connections that use invalid, self-signed, or unexpected certificates to or from affected systems. Review application logs for any certificate-related errors or warnings that may indicate an attempted or successful MitM attack.

Compensating Controls: If immediate patching is not feasible, implement network segmentation to isolate affected systems and limit an attacker's ability to gain a MitM position. Utilize a trusted TLS-inspecting proxy or firewall to enforce certificate validation externally before traffic reaches the vulnerable application. If possible within the application's architecture, implement certificate pinning to ensure connections are only made to servers with a specific, known certificate.

Public Exploit Available: false

Given the high severity (CVSS 8) of this vulnerability and its potential to enable complete data interception, organizations are urged to take immediate action. We strongly recommend identifying all instances of affected "When" products and deploying the vendor-provided security patches on an emergency basis. Although this vulnerability is not yet on the CISA KEV list, its critical impact on data confidentiality and integrity warrants immediate and prioritized remediation to prevent potential compromise.