CVE-2025-41256

| EUVD-2025-19095 HIGH
2025-06-25 1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a
7.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19095
CVE Published
Jun 25, 2025 - 10:15 nvd
HIGH 7.4

Tags

Information Disclosure

Description

Cyberduck and Mountain Duck improper handle TLS certificate pinning for untrusted certificates (e.g., self-signed), since the certificate fingerprint is stored as SHA-1, although SHA-1 is considered weak. This issue affects Cyberduck: through 9.1.6; Mountain Duck: through 4.17.5.

Analysis

Cyberduck and Mountain Duck improperly implement TLS certificate pinning by storing certificate fingerprints using the cryptographically weak SHA-1 algorithm instead of modern alternatives like SHA-256. This allows attackers to potentially forge or spoof self-signed certificates and perform man-in-the-middle (MITM) attacks against users of affected versions. The vulnerability affects Cyberduck through version 9.1.6 and Mountain Duck through version 4.17.5; while no public POC or active KEV exploitation is currently documented, the CVSS 7.4 rating reflects high confidentiality and integrity impact.

Technical Context

Certificate pinning is a security mechanism that binds a specific certificate (or its public key) to a domain to prevent MITM attacks, especially against self-signed or enterprise certificates. This vulnerability (CWE-328: Use of Insufficiently Random Values) represents a weak cryptographic implementation where fingerprints are computed using SHA-1, which has known collision vulnerabilities since 2017 (SHAttered attack). SHA-1's cryptographic weakness allows adversaries with sufficient computational resources to generate collision attacks or forge certificates with matching SHA-1 fingerprints. Cyberduck (CPE: cpe:2.3:a:cyberduck:cyberduck) and Mountain Duck (CPE: cpe:2.3:a:cyberduck:mountain_duck) are file transfer clients that support SFTP, FTP, and cloud storage protocols, where certificate pinning should protect against credential theft and session hijacking. The root cause is the selection of SHA-1 as the pinning hash algorithm rather than SHA-256 or stronger alternatives.

Affected Products

Cyberduck (through 9.1.6); Mountain Duck (through 4.17.5)

Remediation

- action: Update Cyberduck; details: Upgrade to version 9.1.7 or later. Patched versions replace SHA-1 fingerprint storage with SHA-256. - action: Update Mountain Duck; details: Upgrade to version 4.17.6 or later. - action: Interim Mitigation; details: If immediate patching is not possible, users should avoid relying on certificate pinning for self-signed certificates and instead implement additional authentication mechanisms (e.g., key-based authentication with passphrases). Restrict network access to trusted networks only. - action: Certificate Management; details: For enterprise deployments, migrate self-signed certificates to properly issued certificates from trusted CAs, reducing reliance on certificate pinning.

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +37
POC: 0

Share

CVE-2025-41256 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy