cbcvebase.
CVE-2025-44005
published 2025-12-17

CVE-2025-44005: An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol…

PriorityP267critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
3.26%
86.8th percentile
An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comsmallstep_certificates>= 0 < 0.29.00.29.0
smallstepstep-ca
smallstepstep-ca

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor and restrict access to the /sign endpoint on Step CA instances, as this is the endpoint exploited during unauthorized certificate issuance via ACME or SCEP provisioners.
  • Alert on certificate issuance events from Step CA ACME or SCEP provisioners originating from unauthenticated or unexpected remote sources, as the vulnerability allows remote, unauthenticated attackers to bypass authorization and obtain certificates.
  • ·The vulnerability affects the github.com/smallstep/certificates component (Step CA). Red Hat confirms none of its products ship or use this component, so exposure is limited to environments directly deploying Step CA or software embedding it (e.g., Caddy with the smallstep/certificates dependency).
  • ·The attack requires no privileges and no user interaction with low complexity, meaning any network-reachable Step CA instance with ACME or SCEP provisioners enabled is at risk without additional network controls.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.