CVE-2025-41255 Information

Jun 26, 2025 cve

Description

Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g. self-signed) unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions.

This issue affects Cyberduck through 9.1.6 and Mountain Duck through 4.17.5.

Reference

https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655 https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655 https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling

CNNVD-202506-3149 (Published: 2025-06-25)

Share on:

CVE-2025-41255 Information

Description

Reference

Related CNNVD