Vulnerability Description
Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions. This issue affects Cyberduck through 9.1.6 and Mountain Duck through 4.17.5.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655
- https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_C
- https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655
- https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_C
FAQ
What is CVE-2025-41255?
CVE-2025-41255 is a vulnerability with a CVSS score of 8.0 (HIGH). Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user w...
How severe is CVE-2025-41255?
CVE-2025-41255 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-41255?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.