PT-2025-26818 · Cyberduck+1 · Cyberduck+1
Andreas Boll
+1
·
Published
2025-06-25
·
Updated
2025-06-30
·
CVE-2025-41256
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
Cyberduck versions through 9.1.6
Mountain Duck versions through 4.17.5
Description:
The issue is related to improper handling of TLS certificate pinning for untrusted certificates, such as self-signed certificates, in Cyberduck and Mountain Duck. The certificate fingerprint is stored as SHA-1, which is considered weak.
Recommendations:
For Cyberduck versions through 9.1.6, consider updating to a version that properly handles TLS certificate pinning.
For Mountain Duck versions through 4.17.5, consider updating to a version that properly handles TLS certificate pinning.
As a temporary workaround, consider disabling the use of SHA-1 for certificate fingerprints in both Cyberduck and Mountain Duck until a patch is available.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cyberduck
Mountain Duck