Improper TLS Certificate Pinning in Cyberduck and Mountain Duck
CVE-2025-41255

8HIGH

Key Information:

Vendor: Iterate Gmbh
Status: Cyberduck; Mountain Duck
Vendor: CVE Published:; 25 June 2025

🔔 Create Iterate Gmbh Vulnerability Alert

What is CVE-2025-41255?

Cyberduck and Mountain Duck exhibit a flaw in their handling of TLS certificate pinning, which allows the installation of untrusted certificates, including self-signed ones, into the Windows Certificate Store of the current user without adequate restrictions. This oversight poses a security risk as it may enable unauthorized access or exploitation of trusted connections.

Affected Version(s)

Cyberduck 0 <= 9.1.6

Mountain Duck 0 <= 4.17.5

References

https://github.com/sbaresearch/advisories/tree/public/202...

third-party-advisory

https://github.com/iterate-ch/cyberduck/security/advisori...

vendor-advisory

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Thomas Kostal

Andreas Boll