TrustAsia Pulls 143 Certificates Following Critical LiteSSL ACME Vulnerability

The discovery of a critical vulnerability in TrustAsia's LiteSSL ACME service highlights the fragility of automated certificate issuance pipelines. By allowing domain‑validation data to be reused across unrelated ACME accounts, attackers could obtain wildcard certificates without completing fresh DNS‑01 challenges. This type of authorization bypass violates the CA/Browser Forum Baseline Requirements, which mandate unique validation per issuance, and underscores the need for rigorous account‑context checks in any ACME implementation.

TrustAsia's incident response demonstrates best‑practice crisis management in the PKI space. Within minutes of the community report, the company halted ACME issuance, identified the full scope of affected certificates, and deployed a code fix that addressed both the logic error and the excessive cache duration. The rapid revocation of 140 still‑valid certificates and the reset of all authorizations forced customers to re‑validate, effectively containing the threat within eight hours. Such swift action mitigates potential domain hijacking and preserves the credibility of the certificate authority.

For organizations relying on ACME‑based certificate services, the episode serves as a cautionary tale. Continuous monitoring of CA compliance, regular audits of validation workflows, and prompt verification of certificate status are essential safeguards. Enterprises should also maintain an incident‑response playbook that includes automated revocation checks and rapid re‑issuance procedures. As the ecosystem increasingly adopts automated TLS provisioning, ensuring robust validation logic and minimizing cache lifetimes become critical to preventing similar breaches and sustaining trust in internet security infrastructure.