CVE-2025-41255
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
25/06/2025
Last modified:
26/06/2025
Description
Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This issue affects Cyberduck through 9.1.6 and Mountain Duck through 4.17.5.
Impact
Base Score 3.x
8.00
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655
- https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling
- https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655
- https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling