CVE-2025-41255HIGH 8.0EPSS p6.0%

CVE-2025-41255CVE-2025-41255

Description

Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions. This issue affects Cyberduck through 9.1.6 and Mountain Duck through 4.17.5.

Scoring

CVSS 3.18.0 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS0.16% probability of exploitation · percentile 6.0% · 2026-06-19T12:03:05Z
Published2025-06-25
Last modified2026-04-15

Underlying weaknesses· 1

CWE-266

References

  1. https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655
  2. https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling
  3. https://github.com/iterate-ch/cyberduck/security/advisories/GHSA-vjjc-grpp-m655
  4. https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-01_Cyberduck_Mountain_Duck_Certificate_Handling

1

TypeTargetConfidenceTier
WeaknessIncorrect Privilege Assignmentcwe-2660%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-3012
CVE
CVE-2025-1014
CVE
CVE-2025-67229
CVE
CVE-2025-27740
CVE
CVE-2026-4434
CVE
CVE-2026-44810
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.