01 · The Real Story
This is a lockpick that only works if you still left a 2012-era side door bolted open
tenable:62565 is not telling you the server is actively exploitable on its own; it is telling you the service appears to meet one of CRIME's old prerequisites: negotiated TLS compression or legacy SPDY earlier than version 4. The underlying issue is a compression side channel that can leak secrets such as HTTP session cookies when compressed data is encrypted and an attacker can repeatedly influence requests and measure ciphertext lengths. In practice that means TLS 1.2-and-earlier stacks with compression enabled, or very old SPDY deployments, both of which are now mostly legacy edge cases rather than broad enterprise defaults.
The vendor's LOW rating is basically right. The attack needs a man-in-the-middle position, a victim browser you can coerce into sending many chosen requests, and a target that still negotiates obsolete compression behavior; modern defaults kill this chain in most environments. This is worth cleaning up if the finding is real, but it should not outrank remotely exploitable server-side RCE, auth bypass, or modern edge-service bugs.
"CRIME is real, but in 2026 it is mostly a legacy-config cleanup item, not an enterprise fire drill."
02 · The Attack Path
5 steps from start to impact.
STEP 01
Get on-path to the victim session
The attacker needs to observe and tamper with the victim's HTTPS traffic path before CRIME matters. In real operations that usually means hostile Wi-Fi, a compromised proxy, malicious gateway, or some other MITM foothold; the server alone is not enough. Tooling is generic MITM infrastructure rather than a one-shot exploit.
Conditions required:
- Attacker can intercept or observe the victim's traffic path
- Victim is actively browsing the target application
Where this breaks in practice:
- This is not unauthenticated internet-to-server exploitation; it assumes network position first
- Modern enterprise egress, VPNs, secure web gateways, and managed Wi-Fi reduce casual MITM opportunities
Detection/coverage: Traditional vuln scanners do not validate this step. Network telemetry, rogue AP detection, and proxy logs are the useful controls here.
STEP 02
Force chosen plaintext into repeated requests
Using a malicious page or injected script, the attacker makes the victim browser send many requests whose contents partially overlap with unknown secrets such as cookies. Classic writeups and PoCs from the original CRIME research demonstrate this iterative request-generation phase. The attack is a compression oracle, not a memory corruption exploit.
Conditions required:
- Victim must render attacker-controlled content or be redirected to it
- Target cookies or headers must be sent in the influenced requests
Where this breaks in practice:
SameSitecookies, CSRF protections, origin isolation, and modern browser behavior can reduce or break the request pattern- The attack is noisy and needs many requests, which raises operational cost
Detection/coverage: Web logs may show bursts of repetitive requests from one client session, but scanners usually cannot prove exploitability from the outside.
STEP 03
Negotiate a vulnerable compression path
The service must actually negotiate TLS compression or expose legacy SPDY behavior that compresses attacker-influenced data alongside secrets. Nessus plugin 62565 explicitly says it only checks for the prerequisite configuration and does not attempt the attack. Tool reference:
openssl s_client can confirm negotiated TLS compression; historical CRIME PoCs include mpgn/CRIME-poc.Conditions required:
- TLS compression is enabled on the server and supported by the client, or SPDY <=3 is still in play
- A compatible client stack will negotiate that path
Where this breaks in practice:
- OpenSSL has had compression off by default since 1.1.0
- Chrome removed SPDY/NPN support in Chrome 51 in May 2016, so the SPDY branch is mostly dead in modern fleets
Detection/coverage: Good scanner coverage for the prerequisite only. Expect occasional edge false positives on unusual TLS terminators or legacy appliances.
STEP 04
Run the compression oracle
The attacker compares ciphertext lengths across many guesses to recover secret bytes a little at a time. Historical references include the original Rizzo/Duong work, Krzysztof Kotowicz's gist, and later public PoCs such as
mpgn/CRIME-poc. This is fragile compared with modern weaponized vulns: it needs stable sessions, repeated requests, and measurable length differences.Conditions required:
- Attacker can make many requests within one victim session
- Session secrets stay valid long enough to recover useful material
Where this breaks in practice:
- Rate limiting, session rotation, load balancer behavior, reauthentication, and packet loss all make extraction slower or fail outright
- Impact is usually one web session at a time, not server takeover
Detection/coverage: No mainstream scanner executes the oracle safely. Detection is behavioral: repetitive request bursts, odd navigation patterns, and session hijack indicators.
STEP 05
Replay the stolen session
If enough cookie material is recovered, the attacker can replay the victim's session and act as that user until the session expires or is invalidated. This is a confidentiality-and-session-hijack problem, not code execution on the server. Tooling after extraction is just normal browser or HTTP client replay.
Conditions required:
- Recovered cookie or token is still valid
- Application does not bind session strongly to device, client cert, or reauth gates
Where this breaks in practice:
- Short TTLs, device binding, step-up auth for sensitive actions, and session revocation limit blast radius
- This generally compromises one user session, not the whole platform
Detection/coverage: Look for impossible-travel session reuse, user-agent drift, concurrent session anomalies, and replays from different network paths.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No current evidence this issue is being used as a modern enterprise intrusion primitive. It is not listed in the CISA KEV catalog as of 2026-06-01, and Tenable says no known exploits are available for the plugin finding. |
|---|---|
| Proof-of-concept availability | Yes, but mostly historical research code: original work by Juliano Rizzo and Thai Duong, early public PoCs from xorninja and Krzysztof Kotowicz, and later GitHub code such as mpgn/CRIME-poc. |
| EPSS | A current EPSS-style reference page shows 8.49% (93rd percentile) for CVE-2012-4929, but treat that cautiously here: the enterprise gating factors are much harsher than the raw score suggests. |
| KEV status | Absent from KEV. No CISA due date, no federal emergency signal, no active-campaign pressure. |
| CVSS interpretation | Legacy CVSSv2 for the related CRIME CVEs is 2.6 / LOW with AV:N/AC:H/Au:N/C:P/I:N/A:N, which fits reality better than most scanner-era network findings: remote reachability exists, but exploitation complexity is genuinely high and impact is confidentiality-only. |
| Affected condition | This finding applies when the endpoint negotiates TLS compression under TLS 1.2 or earlier, or still offers SPDY <=3. It is a configuration and protocol-behavior problem, not a single-product patch-level bug. |
| Fixed posture | The practical fix state is to disable TLS compression and retire old SPDY/NPN paths. OpenSSL documents compression as off by default since 1.1.0, and Chromium removed SPDY/NPN support in Chrome 51. |
| Exposure data | Historical internet exposure was meaningful in 2012: Qualys SSL Pulse observed roughly 42% of tested servers supporting TLS compression at the time. That figure is useful mainly as history; current real-world exposure is far lower because the feature is obsolete and disabled by default in modern stacks. |
| Disclosure date | Public disclosure landed on 2012-09-15 for the CVE records Tenable maps to this class of issue. |
| Scanner nuance | Plugin 62565 runs in paranoid mode and explicitly says Nessus did not attempt to launch the CRIME attack. Read it as a prerequisite/configuration flag, not proof of end-to-end exploitability. |
04 · The Call
noisgate verdict.
Final Verdict
= UNCHANGED to LOW (1.8/10)
The decisive factor is the attacker position requirement: CRIME needs an on-path attacker plus a victim browser interaction before the server-side prerequisite even matters. On top of that, the reachable population is tiny in 2026 because TLS compression is off by default in modern OpenSSL and SPDY has been dead in mainstream browsers for years.
HIGH Severity bucket stays LOW for enterprise patch prioritization
HIGH Modern SPDY-based exploitation is practically irrelevant
MEDIUM Individual findings are true positives rather than legacy-TLS edge noise
Why this verdict
- Needs MITM first: this is not an unauthenticated internet-to-server exploit chain. Requiring on-path traffic control is major downward pressure from the vendor baseline.
- Feature retirement crushes exposure: real exploitation needs negotiated TLS compression or old SPDY. OpenSSL disabled compression by default in 1.1.0, and Chrome removed SPDY/NPN in Chrome 51, so only legacy stacks remain.
- Blast radius is narrow: successful exploitation usually steals one user's session cookie. There is no server-side code execution, no wormability, and no straightforward path to host takeover.
Why not higher?
There is no credible case for pushing this above LOW in a modern enterprise unless you have a very specific legacy internet-facing application with confirmed TLS compression and high-value browser sessions over hostile networks. Every important prerequisite narrows the attack population: attacker position, victim interaction, protocol behavior, and session stability.
Why not lower?
It is still a real confidentiality weakness if the prerequisite is truly present. A hostile on-path attacker can turn it into session hijack against exposed user workflows, so completely ignoring a confirmed internet-facing instance would be too dismissive.
05 · Compensating Control
What to do — in priority order.
- Disable TLS compression — Turn off TLS-level compression on the actual terminator that answered the scan: load balancer, reverse proxy, web server, VPN gateway, or embedded appliance. For a LOW verdict there is no formal SLA, so fold this into the next routine TLS hardening window rather than an emergency change.
- Retire SPDY and NPN — If any legacy edge device still advertises SPDY or old NPN behavior, remove it and standardize on HTTP/2 or HTTP/3. In 2026 this is backlog hygiene work; schedule it in the next normal platform cleanup cycle.
- Harden session cookies — Use
SameSite, short session lifetimes, rotation after login, and reauthentication for sensitive actions to reduce the usefulness of any stolen cookie. This does not fix the root cause, but it cuts the practical value of a successful oracle attack during the next application security sprint. - Validate the finding at the edge — Confirm which device actually negotiates TLS for the reported port before assigning work. Many environments terminate TLS on ADCs or CDN edges, so the right owner is often network/platform engineering rather than the app team.
What doesn't work
- MFA alone doesn't stop reuse of an already-issued web session cookie after login.
- A WAF usually cannot see or block the side channel itself; the leak comes from ciphertext length behavior, not a single malicious payload.
- Enabling TLS 1.3 somewhere else is not enough if the scanned endpoint can still negotiate older compressed TLS behavior on the path that matters.
06 · Verification
Crowdsourced verification payload.
Run this from an auditor workstation that can reach the target TCP port; no root is required. Invoke it as ./check_crime_tls.sh example.com:443 or ./check_crime_tls.sh 10.20.30.40:8443. It verifies the TLS-compression branch of the CRIME prerequisite using openssl; if your local OpenSSL lacks compression support, it returns UNKNOWN rather than guessing.
#!/usr/bin/env bash
# check_crime_tls.sh
# Verify whether a target negotiates TLS compression, a prerequisite for CRIME.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 1=VULNERABLE, 0=PATCHED, 2=UNKNOWN
set -u
TARGET="${1:-}"
if [[ -z "$TARGET" ]]; then
echo "UNKNOWN"
exit 2
fi
if ! command -v openssl >/dev/null 2>&1; then
echo "UNKNOWN"
exit 2
fi
HOST="$TARGET"
PORT="443"
if [[ "$TARGET" == *:* ]]; then
HOST="${TARGET%%:*}"
PORT="${TARGET##*:}"
fi
# Use -comp to request compression if the local OpenSSL supports it.
# Lower security level only for the handshake probe; this does not change the target.
CMD=(openssl s_client -connect "${HOST}:${PORT}" -servername "$HOST" -tls1_2 -comp -cipher 'DEFAULT:@SECLEVEL=1')
OUT=$(timeout 15 bash -c "printf '' | \"${CMD[0]}\" ${CMD[*]:1}" 2>&1)
RC=$?
if [[ $RC -ne 0 && $RC -ne 1 ]]; then
echo "UNKNOWN"
exit 2
fi
# If local OpenSSL was built without compression capability, -comp may be unsupported
# or the handshake output may not include a Compression line.
COMP_LINE=$(printf '%s\n' "$OUT" | awk '/Compression:/ {print; found=1} END{if(!found) print ""}')
if [[ -z "$COMP_LINE" ]]; then
echo "UNKNOWN"
exit 2
fi
if printf '%s\n' "$COMP_LINE" | grep -Eq 'Compression:\s*NONE'; then
echo "PATCHED"
exit 0
fi
if printf '%s\n' "$COMP_LINE" | grep -Eq 'Compression:\s*(zlib|ZLIB|DEFLATE|[A-Za-z0-9_-]+)'; then
echo "VULNERABLE"
exit 1
fi
echo "UNKNOWN"
exit 2
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, do not treat
tenable:62565 like a break-fix emergency. First confirm whether the finding is a real edge configuration issue on a live TLS terminator; if it is, disable TLS compression / retire any legacy SPDY path in the next normal hardening cycle and document the business owner. Because this reassesses to LOW, there is no noisgate mitigation SLA and no noisgate remediation SLA; treat it as backlog hygiene, not an interrupt-driven patch event.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.