CVE-2025-44005
Authorization Bypass in Step CA ACME/SCEP Provisioners Enables Unauthorized Certificate Issuance
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: Talos
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| smallstep | step-ca | 0.29.0 |
| smallstep | step-ca | 0.28.4 |
| smallstep | step-ca | 0.28.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-44005 is a critical authorization bypass vulnerability in the Step CA software's ACME and SCEP provisioners. Normally, these provisioners rely on built-in protocol authorization and do not require tokens. However, they improperly accepted crafted tokens claiming to be issued for them without validating these tokens correctly. This flaw allows an attacker with network access and no privileges to bypass authorization checks and cause the provisioners to issue certificates without completing necessary authorization steps. Although some CA policies remain enforced, this vulnerability compromises confidentiality and integrity by allowing unauthorized certificate creation. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with no privileges and no user interaction to create unauthorized certificates by bypassing authorization checks. This impacts the confidentiality and integrity of the certificate issuance process, potentially enabling attackers to impersonate entities, intercept or manipulate encrypted communications, or perform other malicious activities that rely on trusted certificates. Availability is not affected. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring and identifying unauthorized or suspicious requests to the /sign endpoint of the Step CA service, especially those accompanied by tokens that claim to be for ACME or SCEP provisioners. Since the vulnerability involves crafted tokens bypassing authorization, inspecting logs for unusual token usage or certificate signing requests (CSRs) submitted without proper authorization is key. Specific commands are not provided in the resources, but network monitoring tools or log analysis targeting HTTP requests to the /sign endpoint with tokens can help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps are to upgrade Step CA to version 0.29.0 or later, which fixes the vulnerability by rejecting requests that provide tokens to ACME and SCEP provisioners. If upgrading is not possible immediately, blocking network access to the /sign endpoint can mitigate exploitation by preventing unauthorized certificate issuance. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized certificate issuance, it could potentially undermine confidentiality and integrity controls required by such regulations, thereby affecting compliance. No direct statements about compliance impact are given. [1, 2]