CVE-2025-59270
BaseFortify
Publication date: 2025-09-16
Last updated on: 2025-09-26
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pspete | pspas | From 6.4.85 (inc) to 7.0.209 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-757 | A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the psPAS PowerShell module where the 'Get-PASSAMLResponse' function does not explicitly enforce the use of TLS 1.2 during the SAML authentication process. This allows an unauthenticated attacker positioned as a Man-in-the-Middle to manipulate the TLS handshake and downgrade the connection to a deprecated, less secure protocol.
How can this vulnerability impact me? :
The vulnerability could allow an attacker to intercept and manipulate authentication traffic by downgrading the TLS protocol, potentially exposing sensitive authentication data or enabling unauthorized access through weakened encryption.
What immediate steps should I take to mitigate this vulnerability?
Update the psPAS PowerShell module to version 7.0.209 or later, where the vulnerability is fixed by explicitly enforcing TLS 1.2 in the 'Get-PASSAMLResponse' function to prevent TLS downgrade attacks.