CVE-2025-59270
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-09-26

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
psPAS PowerShell module does not explicitly enforce TLS 1.2 within the 'Get-PASSAMLResponse' function during the SAML authentication process. An unauthenticated attacker in a 'Man-in-the-Middle' position could manipulate the TLS handshake and downgrade TLS to a deprecated protocol. Fixed in 7.0.209.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-09-26
Generated
2026-06-16
AI Q&A
2025-09-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59270
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pspete pspas From 6.4.85 (inc) to 7.0.209 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-757 A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the psPAS PowerShell module where the 'Get-PASSAMLResponse' function does not explicitly enforce the use of TLS 1.2 during the SAML authentication process. This allows an unauthenticated attacker positioned as a Man-in-the-Middle to manipulate the TLS handshake and downgrade the connection to a deprecated, less secure protocol.

Impact Analysis

The vulnerability could allow an attacker to intercept and manipulate authentication traffic by downgrading the TLS protocol, potentially exposing sensitive authentication data or enabling unauthorized access through weakened encryption.

Mitigation Strategies

Update the psPAS PowerShell module to version 7.0.209 or later, where the vulnerability is fixed by explicitly enforcing TLS 1.2 in the 'Get-PASSAMLResponse' function to prevent TLS downgrade attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart