CVE-2025-41256

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-41256
Cyberduck and Mountain Duck improper handle TLS certificate pinning for untrusted certificates (e.g., self-signed), since the certificate fingerprint is stored as SHA-1, although SHA-1 is considered weak. This issue affects Cyberduck: through 9.1.6; Mountain Duck: through 4.17.5.

7.4 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-688c-vjrc-84rv
https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-02_Cyberduck_Mountain_Duck_Weak_Hash
https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-688c-vjrc-84rv
https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-02_Cyberduck_Mountain_Duck_Weak_Hash
Configurations

No configuration.

History

26 Jun 2025, 18:57

Type Values Removed Values Added
Summary
  • (es) Cyberduck y Mountain Duck gestionan incorrectamente la fijación de certificados TLS para certificados no confiables (p. ej., autofirmados), ya que la huella digital del certificado se almacena como SHA-1, aunque SHA-1 se considera débil. Este problema afecta a Cyberduck: hasta la versión 9.1.6; Mountain Duck: hasta la versión 4.17.5.

25 Jun 2025, 14:15

Type Values Removed Values Added
References () https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-688c-vjrc-84rv - () https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-688c-vjrc-84rv -
References () https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-02_Cyberduck_Mountain_Duck_Weak_Hash - () https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-02_Cyberduck_Mountain_Duck_Weak_Hash -

25 Jun 2025, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-25 10:15

Updated : 2025-06-26 18:57

NVD link : CVE-2025-41256

Mitre link : CVE-2025-41256

CVE.ORG link : CVE-2025-41256

JSON object : View

Products Affected

No product.

CWE
CWE-328

Reversible One-Way Hash