TrustAsia: TrustAsia Revoked 143 Certificates Following LiteSSL ACME Service Vulnerability

TrustAsia Revokes 143 SSL/TLS Certificates After ACME Validation Flaw

TrustAsia revoked 143 SSL/TLS certificates on January 21, 2026, following the discovery of a vulnerability in its LiteSSL ACME service. The flaw, reported via Mozilla Bugzilla (#2011713), allowed improper reuse of domain validation data across different ACME accounts, violating CA/Browser Forum Baseline Requirements (TLS BR 2.2.2, Section 3.2.2.4).

The issue stemmed from a logic error in handling Authorization objects, where validation data was incorrectly shared between accounts. While initial speculation suggested External Account Binding (EAB) mismanagement, TrustAsia confirmed a strict one-to-one mapping between ACME accounts and EABs. The vulnerability affected certificates issued after December 29, 2025.

TrustAsia’s response timeline (UTC+8) included:

14:55: Report received via V2EX; issuance suspended.
15:33: Initial revocation of two reported certificates.
21:21: Full scope identified (143 certificates); batch revocation initiated.
21:41: Patch deployed; all ACME authorizations reset to REVOKED.
23:00: Service fully restored.

All affected certificates were revoked, and TrustAsia plans to release a detailed incident report on Mozilla Bugzilla. The incident underscores the critical need for strict domain validation compliance in automated certificate issuance.

Source: https://cybersecuritynews.com/trustasia-revoked-143-certificates/

TrustAsia Technologies, Inc. cybersecurity rating report: https://www.rankiteo.com/company/trustasia

"id": "TRU1769167373",
"linkid": "trustasia",
"type": "Vulnerability",
"date": "12/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"

{'affected_entities': [{'customers_affected': '143 certificates revoked '
                                              '(affected customers not '
                                              'specified)',
                        'industry': 'Cybersecurity/SSL/TLS Certificate '
                                    'Services',
                        'name': 'TrustAsia',
                        'type': 'Certificate Authority'}],
 'date_detected': '2026-01-21T14:55:00+08:00',
 'date_publicly_disclosed': '2026-01-21',
 'date_resolved': '2026-01-21T23:00:00+08:00',
 'description': 'TrustAsia revoked 143 SSL/TLS certificates on January 21, '
                '2026, following the discovery of a vulnerability in its '
                'LiteSSL ACME service. The flaw allowed improper reuse of '
                'domain validation data across different ACME accounts, '
                'violating CA/Browser Forum Baseline Requirements (TLS BR '
                '2.2.2, Section 3.2.2.4). The issue stemmed from a logic error '
                'in handling Authorization objects, where validation data was '
                'incorrectly shared between accounts.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'compliance violation',
            'downtime': 'Service suspended from 2026-01-21T14:55:00+08:00 to '
                        '2026-01-21T23:00:00+08:00',
            'operational_impact': 'Certificate issuance suspended, 143 '
                                  'certificates revoked',
            'systems_affected': 'SSL/TLS certificate issuance system (LiteSSL '
                                'ACME service)'},
 'investigation_status': 'Completed',
 'lessons_learned': 'Critical need for strict domain validation compliance in '
                    'automated certificate issuance',
 'post_incident_analysis': {'corrective_actions': 'Patch deployed to fix logic '
                                                  'error, all ACME '
                                                  'authorizations reset, '
                                                  'detailed incident report '
                                                  'planned for release',
                            'root_causes': 'Logic error in handling '
                                           'Authorization objects in ACME '
                                           'service, leading to improper reuse '
                                           'of domain validation data'},
 'references': [{'source': 'Mozilla Bugzilla',
                 'url': 'https://bugzilla.mozilla.org/show_bug.cgi?id=2011713'},
                {'source': 'V2EX'}],
 'regulatory_compliance': {'regulations_violated': ['CA/Browser Forum Baseline '
                                                    'Requirements (TLS BR '
                                                    '2.2.2, Section 3.2.2.4)']},
 'response': {'communication_strategy': 'Incident details shared via Mozilla '
                                        'Bugzilla and V2EX',
              'containment_measures': 'Certificate issuance suspended, initial '
                                      'revocation of reported certificates',
              'recovery_measures': 'Service fully restored after patch '
                                   'deployment',
              'remediation_measures': 'Patch deployed to fix logic error, all '
                                      'ACME authorizations reset to *REVOKED*'},
 'title': 'TrustAsia Revokes 143 SSL/TLS Certificates After ACME Validation '
          'Flaw',
 'type': 'Certificate Misissuance',
 'vulnerability_exploited': 'Logic error in handling Authorization objects in '
                            'ACME service, allowing improper reuse of domain '
                            'validation data'}

TrustAsia: TrustAsia Revoked 143 Certificates Following LiteSSL ACME Service Vulnerability

Stryker: Cork-based Stryker hit with cyber attack linked to Iranian-backed group

Microsoft: Microsoft .NET 0-Day Vulnerability Enables Denial-of-Service Attacks

Cloudflare and Hurricane Electric: Hacker abusing .arpa domain to evade phishing detection, says Infoblox