How to fix EUVD-2025-19096?

Within 24 hours: Identify all users and systems running Cyberduck (≤9.1.6) or Mountain Duck (≤4.17.5) across your organization and restrict their use pending remediation. Within 7 days: Issue formal guidance prohibiting use of affected versions and implement technical controls to prevent installation or execution. Within 30 days: Monitor for vendor patches and establish a deployment plan; alternatively, evaluate and migrate users to alternative secure file transfer solutions that properly implement certificate pinning.

Is Windows affected by EUVD-2025-19096?

Cyberduck and Mountain Duck users are at risk of credential theft and lateral movement through improper TLS certificate handling that installs untrusted certificates into the Windows certificate store without user consent or restrictions.

EUVD-2025-19096

| CVE-2025-41255 HIGH

2025-06-25 1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a

8.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-19096

CVE Published

Jun 25, 2025 - 10:15 nvd

HIGH 8.0

Description

Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions. This issue affects Cyberduck through 9.1.6 and Mountain Duck through 4.17.5.

Analysis

CVE-2025-41255 is a security vulnerability (CVSS 8.0). High severity vulnerability requiring prompt remediation.

Technical Context

Vulnerability type not specified by vendor. CVSS 8.0 indicates high severity.

Affected Products

['Unspecified product']

Remediation

Monitor vendor channels for patch availability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +40

POC: 0

EUVD-2025-19096 vulnerability details – vuln.today

Back

EUVD-2025-19096

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-19096

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code