Unsigned Update Manifest in GoSign Desktop Affects Multiple Operating Systems
CVE-2025-34324
Key Information:
- Vendor
Tinexta Infocert S.p.a.
- Status
- Vendor
- CVE Published:
- 18 November 2025
Badges
What is CVE-2025-34324?
GoSign Desktop versions 2.4.0 and earlier utilize an unsigned update manifest for application updates, posing significant security risks. The manifest consists of package URLs and SHA-256 hashes but lacks digital signatures, thereby depending solely on the integrity of the TLS channel. When configured with a proxy, TLS certificate validation can be rendered ineffective, allowing an attacker to intercept network traffic. This vulnerability enables attackers to deliver a malicious update manifest, which may lead to arbitrary code execution with the same privileges as the GoSign Desktop user on Windows and macOS, or escalate privileges on Linux environments. Local attackers capable of modifying proxy settings can exploit this flaw to push crafted updates, further compromising system security.
Affected Version(s)
GoSign Desktop 0 < 2.4.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved