Or issued by another CA. And only a problem for new cert, not for renewal.
And in case of “multi-tenant infrastructure” as mentionned on the report, I can’t find a valid use case when vhost will be wrong (and then fallback) for the user but good for the attacker…
Cases with no vhost at all and fallback to default vhost managed by the admin of the overall infra (can issue cert for any of the tenant if he wants even without fallback because root on the server) or with vhost for both attacker and user (and so no risk) are possible.
Case with default vhost = lower precedence is very unlikely on a multi-tenant infra (security risk largely more than just HTTPS/cert issuing part).