CVE-2025-44005

smallstep · Step-CA

An authorization bypass in smallstep Step-CA allows attackers to force the creation of certificates without completing required protocol authorization checks.

Executive summary

A critical authorization bypass in smallstep Step-CA allows unauthenticated attackers to issue unauthorized certificates, undermining the integrity of the PKI infrastructure.

Vulnerability

This vulnerability involves an improper authentication flaw (CWE-287) in the ACME and SCEP provisioners. An unauthenticated attacker can bypass authorization checks to force the issuance of certificates without fulfilling the necessary protocol requirements.

Business impact

With a CVSS score of 10.0, this vulnerability allows for the unauthorized issuance of valid certificates, which can be used to impersonate services or intercept encrypted traffic. This represents a total loss of trust in the certificate authority's issuance process, leading to significant reputational damage and security risk.

Remediation

Immediate Action: Update smallstep Step-CA to the latest patched version. Review all certificate issuance logs for suspicious activity occurring after the introduction of the affected versions.

Proactive Monitoring: Monitor ACME and SCEP logs for anomalous certificate requests or requests that lack proper authorization headers.

Compensating Controls: If immediate updates are not possible, restrict access to the ACME/SCEP endpoints via network-level controls to trusted IP addresses only.

Exploitation status

Public Exploit Available: Yes (Proof-of-Concept)

Analyst recommendation

This is a critical vulnerability with confirmed Proof-of-Concept availability. Organizations must prioritize patching their Step-CA deployments immediately to prevent the unauthorized issuance of certificates and maintain the integrity of their PKI environment.