CVE-2025-41255
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-06-26
Assigner: sba-research
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Cyberduck (β€ 9.1.6) and Mountain Duck (β€ 4.17.5) involves improper handling of TLS certificate pinning for untrusted certificates, such as self-signed certificates. When a user chooses to permanently trust an unknown TLS certificate, the applications not only store the certificate fingerprint in their configuration files but also install the certificate into the Windows Certificate Store under the current user's Trusted Root Certification Authorities with unrestricted purposes. This means the certificate is trusted by all programs relying on the Windows Certificate Store, potentially allowing misuse such as man-in-the-middle attacks or code signing impersonation. The applications do not need to install the certificate in the Windows Certificate Store to verify pinned certificates, as they rely on their own configuration files for this purpose. The issue was fixed by removing the installation of the certificate into the Windows Certificate Store and only storing the fingerprint in the app configuration. [1]
How can this vulnerability impact me? :
This vulnerability can increase your system's attack surface by allowing an attacker to exploit the improperly trusted certificate installed in the Windows Certificate Store. Since the certificate is trusted for all purposes, including server authentication and code signing, attackers could perform man-in-the-middle attacks, impersonate legitimate servers, or sign malicious code that appears trusted by the system. This could compromise not only Cyberduck or Mountain Duck connections but also other applications relying on the Windows Certificate Store, leading to broader system compromise. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if any untrusted TLS certificates (e.g., self-signed certificates accepted via Cyberduck or Mountain Duck) have been installed into the Windows Certificate Store under the current user's Trusted Root Certification Authorities with full trust. Specifically, look for certificates that were not explicitly trusted by the user outside these applications. On Windows, you can use the following PowerShell command to list certificates in the current user's Trusted Root Certification Authorities store: Get-ChildItem -Path Cert:\CurrentUser\Root. Review the certificates for any unexpected or self-signed entries that may have been added by Cyberduck or Mountain Duck. Additionally, monitoring network connections to TLS-encrypted WebDAV servers with self-signed certificates may help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Cyberduck to version 9.1.7 or later and Mountain Duck to version 4.17.6 or later, as these versions remove the behavior of installing untrusted certificates into the Windows Certificate Store and instead only store the certificate fingerprint in the application's configuration file. Additionally, review and remove any untrusted certificates that were previously installed into the Windows Certificate Store by these applications to reduce the attack surface. [1]