{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-44005", "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "state": "PUBLISHED", "assignerShortName": "talos", "dateReserved": "2025-07-28T19:00:54.642Z", "datePublished": "2025-12-17T15:16:16.495Z", "dateUpdated": "2025-12-17T18:00:09.151Z"}, "containers": {"cna": {"affected": [{"vendor": "smallstep", "product": "Step-CA", "versions": [{"version": "0.28.4", "status": "affected"}, {"version": "v0.28.3", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE", "cweId": "CWE-287"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL"}}], "providerMetadata": {"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos", "dateUpdated": "2025-12-17T18:00:09.151Z"}, "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2242", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2242"}, {"url": "https://github.com/smallstep/certificates/security/advisories/GHSA-h8cp-697h-8c8p", "name": "https://github.com/smallstep/certificates/security/advisories/GHSA-h8cp-697h-8c8p"}], "credits": [{"lang": "en", "value": "Stephen Kubik of the Cisco Advanced Security Initiatives Group (ASIG)"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T15:37:57.395652Z", "id": "CVE-2025-44005", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T15:40:26.757Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2242"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-12-17T17:06:18.202Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks."}], "id": "CVE-2025-44005", "lastModified": "2025-12-18T15:07:42.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "talos-cna@cisco.com", "type": "Secondary"}]}, "published": "2025-12-17T16:16:05.847", "references": [{"source": "talos-cna@cisco.com", "url": "https://github.com/smallstep/certificates/security/advisories/GHSA-h8cp-697h-8c8p"}, {"source": "talos-cna@cisco.com", "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2242"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2242"}], "sourceIdentifier": "talos-cna@cisco.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "talos-cna@cisco.com", "type": "Secondary"}]}

{"bugzilla": {"description": "github.com/smallstep/certificates: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation", "id": "2423196", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423196"}, "csaw": false, "cvss3": {"cvss3_base_score": "10.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-287", "details": ["A flaw was found in the Automated Certificate Management Environment (ACME) and Simple Certificate Enrollment Protocol (SCEP) provisioner features of Step CA (github.com/smallstep/certificates). This vulnerability allows an authorization bypass vulnerability in Step CA\u2019s ACME and SCEP provisioners where certain authentication tokens are not properly rejected. This allows a remote, unauthenticated attacker to bypass protocol authorization checks and obtain certificates, leading to unauthorized certificate issuance."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.\nBut the exposure can be minimized by restricting or blocking access to the /sign endpoint through network controls or reverse proxies."}, "name": "CVE-2025-44005", "public_date": "2025-12-17T15:16:16Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-44005\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-44005\nhttps://github.com/smallstep/certificates/security/advisories/GHSA-h8cp-697h-8c8p\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2025-2242"], "statement": "No Red Hat products are impacted, because the affected component (Step CA) is not used or provided by any products.\nThis vulnerability was marked as a Critical vulnerability because it allows a remote, unauthenticated attacker to bypass core authorization mechanisms of a Certificate Authority and directly issue trusted certificates, fundamentally breaking the CA trust boundary. While the flaw does not lead to arbitrary code execution on the Step CA host, compromising a CA\u2019s issuance process is equivalent to a system-level security failure, as attackers can mint certificates for unauthorized identities and use them for large-scale impersonation, man-in-the-middle attacks, and interception of encrypted traffic across systems beyond the CA itself. The attack requires no privileges, no user interaction, and low complexity, and its effects propagate outside the vulnerable system due to the implicit trust placed in issued certificates, resulting in a scope change and high confidentiality and integrity impact. This ability to undermine PKI trust at scale elevates the flaw beyond an Important issue and justifies a Critical severity classification from a technical risk standpoint.", "threat_severity": "Critical"}

{"created": "2025-12-18T09:57:27.618023+00:00", "updated": "2025-12-18T09:57:27.618058+00:00", "vendors": ["smallstep", "smallstep$PRODUCT$step-ca"]}