TLS relies on root Certificate Authorities to anchor trust chains. In 2023, investigators uncovered a lawful‑intercept setup that used a root‑CA‑signed certificate to tap traffic of jabber.ru, Russia’s largest XMPP service hosted on Hetzner and Linode. The operation faltered when the certificate expired, flashing a warning page and exposing the intercept to public scrutiny. The exposure forced operators to rewrite their intercept procedures.

The breach traces to acme.sh, a shell script that automates ACME certificate renewal. On 18 April 2023 the jabber.ru server ran a vulnerable version; a remote code execution flaw was disclosed as CVE‑2023‑38198 on 8 June and patched the next day. Researchers linked the exploit to HiCA, a certificate authority that appears to have abused the bug to issue unauthorized certificates. The timeline suggests the exploit was active for weeks.

The vulnerability hinged on the ACME http‑01 challenge token, where attackers inject commands by redefining the IFS separator. While the GitHub proof‑of‑concept shows a complex payload, reproducing it proved unreliable; filters and parsing layers block the IFS trick on typical systems. The incident demonstrates how a routine renewal script can become an attack surface when not promptly patched. Consequently, security teams now audit ACME clients more rigorously.