CVE-2025-44005
Unknown Unknown - Not Provided
Authorization Bypass in Step CA ACME/SCEP Provisioners Enables Unauthorized Certificate Issuance

Publication date: 2025-12-17

Last updated on: 2025-12-17

Assigner: Talos

Description
An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-44005
EUVD
EUVD-2025-201012
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
smallstep step-ca 0.29.0
smallstep step-ca 0.28.4
smallstep step-ca 0.28.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-44005 is a critical authorization bypass vulnerability in the Step CA software's ACME and SCEP provisioners. Normally, these provisioners rely on built-in protocol authorization and do not require tokens. However, they improperly accepted crafted tokens claiming to be issued for them without validating these tokens correctly. This flaw allows an attacker with network access and no privileges to bypass authorization checks and cause the provisioners to issue certificates without completing necessary authorization steps. Although some CA policies remain enforced, this vulnerability compromises confidentiality and integrity by allowing unauthorized certificate creation. [1, 2]

Impact Analysis

This vulnerability can allow an attacker with no privileges and no user interaction to create unauthorized certificates by bypassing authorization checks. This impacts the confidentiality and integrity of the certificate issuance process, potentially enabling attackers to impersonate entities, intercept or manipulate encrypted communications, or perform other malicious activities that rely on trusted certificates. Availability is not affected. [1, 2]

Detection Guidance

Detection can focus on monitoring and identifying unauthorized or suspicious requests to the /sign endpoint of the Step CA service, especially those accompanied by tokens that claim to be for ACME or SCEP provisioners. Since the vulnerability involves crafted tokens bypassing authorization, inspecting logs for unusual token usage or certificate signing requests (CSRs) submitted without proper authorization is key. Specific commands are not provided in the resources, but network monitoring tools or log analysis targeting HTTP requests to the /sign endpoint with tokens can help detect exploitation attempts. [1, 2]

Mitigation Strategies

The immediate mitigation steps are to upgrade Step CA to version 0.29.0 or later, which fixes the vulnerability by rejecting requests that provide tokens to ACME and SCEP provisioners. If upgrading is not possible immediately, blocking network access to the /sign endpoint can mitigate exploitation by preventing unauthorized certificate issuance. [1, 2]

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized certificate issuance, it could potentially undermine confidentiality and integrity controls required by such regulations, thereby affecting compliance. No direct statements about compliance impact are given. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-44005. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart