CVE-2025-41255 (GCVE-0-2025-41255)

Vulnerability from cvelistv5 – Published: 2025-06-25 09:21 – Updated: 2025-06-25 13:33
VLAI?
Summary
Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions. This issue affects Cyberduck through 9.1.6 and Mountain Duck through 4.17.5.
Severity ?
8 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE
  • CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
Vendor Product Version
iterate GmbH Cyberduck Affected: 0 , ≤ 9.1.6 (semver)
Create a notification for this product.
Credits
Thomas Kostal Andreas Boll
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-41255",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-25T13:33:24.899723Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-25T13:33:27.985Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cyberduck",
          "repo": "https://github.com/iterate-ch/cyberduck",
          "vendor": "iterate GmbH",
          "versions": [
            {
              "lessThanOrEqual": "9.1.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Mountain Duck",
          "vendor": "iterate GmbH",
          "versions": [
            {
              "lessThanOrEqual": "4.17.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thomas Kostal"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Andreas Boll"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ctt\u003e\u003c/tt\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cdiv\u003e\n\n\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003eCyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions.\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\n\n\u003c/div\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Cyberduck through 9.1.6 and Mountain Duck through\u0026nbsp;4.17.5.\u003c/p\u003e"
            }
          ],
          "value": "Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions.\n\n\n\n\n\n\n\n\n\n\n\nThis issue affects Cyberduck through 9.1.6 and Mountain Duck through\u00a04.17.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "CWE-266: Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-25T09:28:38.711Z",
        "orgId": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a",
        "shortName": "sba-research"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Cyberduck and Mountain Duck - Improper Certificate Store Handling",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a",
    "assignerShortName": "sba-research",
    "cveId": "CVE-2025-41255",
    "datePublished": "2025-06-25T09:21:37.479Z",
    "dateReserved": "2025-04-16T09:37:50.630Z",
    "dateUpdated": "2025-06-25T13:33:27.985Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-41255\",\"sourceIdentifier\":\"1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a\",\"published\":\"2025-06-25T10:15:21.783\",\"lastModified\":\"2025-06-26T18:58:14.280\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nThis issue affects Cyberduck through 9.1.6 and Mountain Duck through\u00a04.17.5.\"},{\"lang\":\"es\",\"value\":\"Cyberduck y Mountain Duck gestionan incorrectamente la fijaci\u00f3n de certificados TLS para certificados no confiables (p. ej., autofirmados), instal\u00e1ndolos innecesariamente en el almac\u00e9n de certificados de Windows del usuario actual sin ninguna restricci\u00f3n. Este problema afecta a Cyberduck hasta la versi\u00f3n 9.1.6 y a Mountain Duck hasta la versi\u00f3n 4.17.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-266\"}]}],\"references\":[{\"url\":\"https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655\",\"source\":\"1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a\"},{\"url\":\"https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling\",\"source\":\"1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a\"},{\"url\":\"https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"},{\"url\":\"https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-41255\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-25T13:33:24.899723Z\"}}}], \"references\": [{\"url\": \"https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655\", \"tags\": [\"exploit\"]}, {\"url\": \"https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-25T13:33:19.194Z\"}}], \"cna\": {\"title\": \"Cyberduck and Mountain Duck - Improper Certificate Store Handling\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Thomas Kostal\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Andreas Boll\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/iterate-ch/cyberduck\", \"vendor\": \"iterate GmbH\", \"product\": \"Cyberduck\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.1.6\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"iterate GmbH\", \"product\": \"Mountain Duck\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.17.5\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nThis issue affects Cyberduck through 9.1.6 and Mountain Duck through\\u00a04.17.5.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003ctt\u003e\u003c/tt\u003e\u003cp\u003e\\n\\n\u003c/p\u003e\u003cdiv\u003e\\n\\n\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003eCyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions.\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\\n\\n\u003c/div\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Cyberduck through 9.1.6 and Mountain Duck through\u0026nbsp;4.17.5.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-266\", \"description\": \"CWE-266: Incorrect Privilege Assignment\"}]}], \"providerMetadata\": {\"orgId\": \"1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a\", \"shortName\": \"sba-research\", \"dateUpdated\": \"2025-06-25T09:28:38.711Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-41255\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-25T13:33:27.985Z\", \"dateReserved\": \"2025-04-16T09:37:50.630Z\", \"assignerOrgId\": \"1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a\", \"datePublished\": \"2025-06-25T09:21:37.479Z\", \"assignerShortName\": \"sba-research\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.