CVE 10 CRITICAL

CVE-2025-44005_CVE-2025-44005

December 17, 2025 invoker category_cve

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Description

An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.

AI Analysis

Authorization bypass vulnerability in Step CA ACME or SCEP provisioner

Basic Information

ID CVE-2025-44005

Source talos

Published Dec 17, 2025 at 15:16

Modified Dec 17, 2025 at 15:40

Affected Product

Vendor smallstep

Product Step-CA

Version 0.28.4

Affected Versions smallstep Step-CA 0.28.4
smallstep Step-CA v0.28.3
smallstep Step-CA 0

CWE Classification

CWE-287

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor smallstep

Product Step-CA

Version 0.28.4, 0.28.3, 0

References

{
    "lastseen": "",
    "description": "An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.",
    "published": "2025-12-17T15:16:16.495Z",
    "modified": "2025-12-17T15:40:26.757Z",
    "type": "cve",
    "title": "CVE-2025-44005",
    "source": "talos",
    "references": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2242\nhttps://github.com/smallstep/certificates/security/advisories/GHSA-h8cp-697h-8c8p",
    "id": "CVE-2025-44005",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "smallstep Step-CA 0.28.4\nsmallstep Step-CA v0.28.3\nsmallstep Step-CA 0",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Step-CA",
    "version": "0.28.4",
    "vendor": "smallstep",
    "ai_description": "Authorization bypass vulnerability in Step CA ACME or SCEP provisioner",
    "ai_severity": "Critical",
    "ai_vendor": "smallstep",
    "ai_product": "Step-CA",
    "ai_version": "0.28.4, 0.28.3, 0",
    "ai_score": 10
}

💭 Join the Security Discussion ❌ Cancel Reply