Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2025-41255

Description

Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions.This issue affects Cyberduck through 9.1.6 and Mountain Duck through 4.17.5.

POC

Reference

- https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655

- https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling

Github

- https://github.com/fkie-cad/nvd-json-data-feeds