EXECUTIVE SUMMARY:
A vulnerability has been identified CVE-2025-61778 in the Akka. Remote module of Akka .NET that could allow unauthorized systems to join or communicate with trusted clusters due to improper implementation of certificate-based authentication. The flaw allows an attacker to impersonate a legitimate node and establish communication within a TLS-protected Akka.NET cluster without possessing a valid certificate, potentially enabling message interception or manipulation across nodes. The issue stems from an incomplete TLS handshake process, where only server-side private key validation occurred, while outbound clients were not required to present certificates, effectively bypassing mutual authentication. This vulnerability primarily affects deployments relying on TLS for securing multi-node or cloud-exposed environments, while systems operating in isolated private networks or without TLS enabled remain unaffected. The latest Akka .NET release introduces enhanced TLS handling and mandatory mutual authentication to mitigate this risk, and upgrading to the fixed version is strongly advised to prevent unauthorized peer communication and ensure secure cluster integrity. The vulnerability has a CVSS score of 9.3.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: