LITESSL , a complimentary wildcard certificate authority under the aegis of TrustAsia, was found to harbour a critical vulnerability related to domain validation that allowed unauthorized parties to hijack the issuance process. TrustAsia subsequently revoked 143 certificates, noting that 140 of the affected and still-valid certificates were revoked in a batch, while the remaining three had already been revoked earlier, with the incident disclosed on Bugzilla.
The flaw stemmed from a misconfiguration in LiteSSL’s ACME service and a protracted DNS-01 challenge cache, which failed to verify that a CSR originated from the same ACME account that performed validation, enabling wildcard re-issuance for domains validated by others. Researchers observed that the ACME service frequently attributed requests to an internal reverse proxy IP (10.254.14[.]70), triggering rate limits and exposing deeper telemetry handling issues.
In the timeline of responses, TrustAsia suspended issuance, remediated the issue, revoked affected authorisations, and restored the external ACME service while advising users who obtained certificates after 29 December 2025 to inspect their status urgently. According to the publication, the fixes have since been deployed and LiteSSL resumed wildcard issuance with strengthened safeguards.