Signinghub
Monthly
In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication bypass in Ascertia SigningHub v8.6.8 lets remote unauthenticated attackers brute-force the One-Time Password (OTP) verification endpoint because it enforces no rate limiting, allowing them to defeat the second verification factor and gain access to signing accounts. The flaw is tagged as an Authentication Bypass and carries a high CVSS of 8.1, though the AC:H metric reflects that success depends on iterating through the OTP keyspace. No CISA KEV listing exists and EPSS is modest (0.46%, 37th percentile), indicating no confirmed active exploitation, but a CVE-named public GitHub repository referenced by NVD suggests exploit details may be circulating.
Denial of service in Ascertia SigningHub v8.6.8 stems from a missing rate limit on the /Home/UploadStreamDocument endpoint, letting attackers flood the server with an excessive number of file uploads until resources are exhausted and the e-signature service becomes unavailable. The CVSS vector marks it network-reachable and unauthenticated (PR:N) with high availability impact but no confidentiality or integrity effect. A GitHub repository (saykino/CVE-2025-56223) associated with the CVE indicates publicly available exploit code exists; the flaw is not in CISA KEV and EPSS exploitation probability is modest at 0.54%.
Uncontrolled account creation in Ascertia SigningHub v8.6.8 allows an attacker to repeatedly add user accounts with no rate limiting, driving resource exhaustion and a denial-of-service condition on the e-signature platform. The flaw stems from improper access control (CWE-284) around the account-provisioning function and is exploitable over the network by a low-privileged actor per the CVSS vector (PR:L). Publicly available exploit code exists (GitHub saykino/CVE-2025-56219), but there is no confirmed active exploitation and EPSS remains low at 0.37% (29th percentile).
Arbitrary code execution in Ascertia SigningHub v8.6.8 stems from an unrestricted file upload weakness that lets an attacker upload a crafted PDF which is processed or stored in a way that yields server-side code execution. SigningHub is an enterprise/e-government digital signature and document workflow platform, so a compromise exposes signing keys, signed documents, and the workflow backend. Publicly available exploit code exists (GitHub PoC referenced), but there is no public exploit identified as actively used; EPSS is modest at 0.67% (47th percentile) and it is not in CISA KEV.
In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication bypass in Ascertia SigningHub v8.6.8 lets remote unauthenticated attackers brute-force the One-Time Password (OTP) verification endpoint because it enforces no rate limiting, allowing them to defeat the second verification factor and gain access to signing accounts. The flaw is tagged as an Authentication Bypass and carries a high CVSS of 8.1, though the AC:H metric reflects that success depends on iterating through the OTP keyspace. No CISA KEV listing exists and EPSS is modest (0.46%, 37th percentile), indicating no confirmed active exploitation, but a CVE-named public GitHub repository referenced by NVD suggests exploit details may be circulating.
Denial of service in Ascertia SigningHub v8.6.8 stems from a missing rate limit on the /Home/UploadStreamDocument endpoint, letting attackers flood the server with an excessive number of file uploads until resources are exhausted and the e-signature service becomes unavailable. The CVSS vector marks it network-reachable and unauthenticated (PR:N) with high availability impact but no confidentiality or integrity effect. A GitHub repository (saykino/CVE-2025-56223) associated with the CVE indicates publicly available exploit code exists; the flaw is not in CISA KEV and EPSS exploitation probability is modest at 0.54%.
Uncontrolled account creation in Ascertia SigningHub v8.6.8 allows an attacker to repeatedly add user accounts with no rate limiting, driving resource exhaustion and a denial-of-service condition on the e-signature platform. The flaw stems from improper access control (CWE-284) around the account-provisioning function and is exploitable over the network by a low-privileged actor per the CVSS vector (PR:L). Publicly available exploit code exists (GitHub saykino/CVE-2025-56219), but there is no confirmed active exploitation and EPSS remains low at 0.37% (29th percentile).
Arbitrary code execution in Ascertia SigningHub v8.6.8 stems from an unrestricted file upload weakness that lets an attacker upload a crafted PDF which is processed or stored in a way that yields server-side code execution. SigningHub is an enterprise/e-government digital signature and document workflow platform, so a compromise exposes signing keys, signed documents, and the workflow backend. Publicly available exploit code exists (GitHub PoC referenced), but there is no public exploit identified as actively used; EPSS is modest at 0.67% (47th percentile) and it is not in CISA KEV.