Opossum Attack: New Vulnerability Compromises Encrypted TLS Connections, Allowing MitM & Data Injection

Researchers have unveiled the Opossum Attack, a novel class of desynchronization vulnerabilities that exploits the coexistence of implicit and opportunistic TLS in application-layer protocols like HTTP, FTP, SMTP, and more. This attack allows adversaries to compromise the integrity of encrypted connections, bypassing even the most modern TLS implementations—without relying on implementation bugs.

“This authentication flaw can be utilized to influence the exchanged messages after the TLS handshake from a pure MitM position,” the researchers warned.

Many Internet protocols were originally plaintext and later retrofitted with encryption. The two main approaches:

• Implicit TLS (e.g., HTTPS on port 443): TLS is negotiated before any data exchange.
• Opportunistic TLS (e.g., SMTP with STARTTLS): A plaintext session is later upgraded to TLS mid-connection.

The Opossum Attack emerges when a client and server disagree on which variant they’re using—especially when one supports opportunistic TLS and the other uses implicit TLS. This mismatch allows a man-in-the-middle (MitM) attacker to create a state of desynchronization, where the victim interprets malicious responses as legitimate ones.

In one experiment, a victim requests /cat.html, but receives the response for /dog.html, which the browser mistakenly accepts as valid. This misalignment persists and corrupts subsequent communications.

“The attacker can abuse the flaw to inject a chosen (malicious) request, and the resulting (malicious) response will be delivered to the web browser within the secure TLS channel,” the researchers explained.

They demonstrated four primary exploitation paths in HTTPS:

• Resource Confusion – Serving unexpected or malicious resources.
• Session Fixation – Forcing attacker-controlled session cookies.
• Reflected XSS Escalation – Turning benign bugs into exploitable XSS vectors.
• Request Smuggling – Apache-specific quirks allow full session hijacking.

The researchers conducted IPv4-wide scans and uncovered alarming figures:

• Over 3 million servers support both implicit and opportunistic TLS across various protocols.
• For HTTP alone, 20,121 servers across 35 ports responded to opportunistic TLS upgrades, 539 of which share domain certificates with HTTPS servers—rendering them exploitable.

Popular software found to support opportunistic HTTP includes:

• Apache (via SSLEngine optional)
• CUPS and many printer frameworks
• Icecast, Cyrus IMAP, and HttpClient

The authors advocate for a complete deprecation of opportunistic TLS, citing its inherent security risks. While strict ALPN enforcement helped mitigate prior attacks like ALPACA, it fails against Opossum since both implicit and opportunistic variants share the same ALPN strings.

“Our preferred solution to the Opossum attack is the deprecation of all opportunistic TLS protocols,” the paper states firmly.

Read the full paper and PoC artifacts here.

Related Posts:

• Log4j Exploited Again: New Campaign Targets Vulnerable Systems with Crypto-Mining and Backdoors
• CVE-2025-41646: Critical Authentication Bypass in RevPi Webstatus Threatens Industrial Systems
• Dragon RaaS: Pro-Russian Hacktivist Group Walks the Razor’s Edge Between Cybercrime and Propaganda