Weak TLS Certificate Pinning in Cyberduck and Mountain Duck
CVE-2025-41256

7.4HIGH

Key Information:

Vendor: Iterate Gmbh
Status: Cyberduck; Mountain Duck
Vendor: CVE Published:; 25 June 2025

🔔 Create Iterate Gmbh Vulnerability Alert

What is CVE-2025-41256?

Cyberduck and Mountain Duck suffer from a vulnerability related to improper handling of TLS certificate pinning. This issue arises because the software stores certificate fingerprints using the SHA-1 hash algorithm, which is recognized as weak and vulnerable to collision attacks. As a result, untrusted certificates, including self-signed ones, may be accepted without sufficient validation, exposing users to potential man-in-the-middle attacks and other security threats. It is essential for users to update to the latest versions to mitigate these risks.

Affected Version(s)

Cyberduck 0 <= 9.1.6

Mountain Duck 0 <= 4.17.5

References

https://github.com/sbaresearch/advisories/tree/public/202...

third-party-advisory

https://github.com/iterate-ch/cyberduck/security/advisori...

vendor-advisory

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Thomas Kostal

Andreas Boll