Vulnerability Description
Cyberduck and Mountain Duck improper handle TLS certificate pinning for untrusted certificates (e.g., self-signed), since the certificate fingerprint is stored as SHA-1, although SHA-1 is considered weak. This issue affects Cyberduck: through 9.1.6; Mountain Duck: through 4.17.5.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-688c-vjrc-84rv
- https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-02_C
- https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-688c-vjrc-84rv
- https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-02_C
FAQ
What is CVE-2025-41256?
CVE-2025-41256 is a vulnerability with a CVSS score of 7.4 (HIGH). Cyberduck and Mountain Duck improper handle TLS certificate pinning for untrusted certificates (e.g., self-signed), since the certificate fingerprint is stored as SHA-1, although SHA-1 is considered w...
How severe is CVE-2025-41256?
CVE-2025-41256 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-41256?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.