CVE-2025-44005
published 2025-12-17CVE-2025-44005: An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol…
PriorityP267critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
3.26%
86.8th percentile
An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | smallstep_certificates | >= 0 < 0.29.0 | 0.29.0 |
| smallstep | step-ca | — | — |
| smallstep | step-ca | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor and restrict access to the /sign endpoint on Step CA instances, as this is the endpoint exploited during unauthorized certificate issuance via ACME or SCEP provisioners. ↗
- →Alert on certificate issuance events from Step CA ACME or SCEP provisioners originating from unauthenticated or unexpected remote sources, as the vulnerability allows remote, unauthenticated attackers to bypass authorization and obtain certificates. ↗
- ·The vulnerability affects the github.com/smallstep/certificates component (Step CA). Red Hat confirms none of its products ship or use this component, so exposure is limited to environments directly deploying Step CA or software embedding it (e.g., Caddy with the smallstep/certificates dependency). ↗
- ·The attack requires no privileges and no user interaction with low complexity, meaning any network-reachable Step CA instance with ACME or SCEP provisioners enabled is at risk without additional network controls. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Step CA Has Authorization Bypass in ACME and SCEP Provisioners in github.com/smallstep/certificates
osv·2025-12-08
CVE-2025-44005 Step CA Has Authorization Bypass in ACME and SCEP Provisioners in github.com/smallstep/certificates
Step CA Has Authorization Bypass in ACME and SCEP Provisioners in github.com/smallstep/certificates
Step CA Has Authorization Bypass in ACME and SCEP Provisioners in github.com/smallstep/certificates
GHSA
Step CA Has Authorization Bypass in ACME and SCEP Provisioners
ghsa·2025-12-03
CVE-2025-44005 [CRITICAL] CWE-306 Step CA Has Authorization Bypass in ACME and SCEP Provisioners
Step CA Has Authorization Bypass in ACME and SCEP Provisioners
## Summary
A security fix is now available for Step CA that resolves a vulnerability affecting deployments configured with ACME and/or SCEP provisioners.
All operators running these provisioners should upgrade to the latest release (`v0.29.0`) immediately.
The issue was discovered and disclosed by a research team during a security review. There is no evidence of active exploitation.
To limit exploitation risk during a coordinated disclosure window, we are withholding detailed technical information for now. A full write-up will be published in several weeks.
---
## Embargo List
If your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm
OSV
Step CA Has Authorization Bypass in ACME and SCEP Provisioners
osv·2025-12-03
CVE-2025-44005 [CRITICAL] Step CA Has Authorization Bypass in ACME and SCEP Provisioners
Step CA Has Authorization Bypass in ACME and SCEP Provisioners
## Summary
A security fix is now available for Step CA that resolves a vulnerability affecting deployments configured with ACME and/or SCEP provisioners.
All operators running these provisioners should upgrade to the latest release (`v0.29.0`) immediately.
The issue was discovered and disclosed by a research team during a security review. There is no evidence of active exploitation.
To limit exploitation risk during a coordinated disclosure window, we are withholding detailed technical information for now. A full write-up will be published in several weeks.
---
## Embargo List
If your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm
Red Hat
github.com/smallstep/certificates: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation
vendor_redhat·2025-12-17·CVSS 10.0
CVE-2025-44005 [CRITICAL] CWE-287 github.com/smallstep/certificates: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation
github.com/smallstep/certificates: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation
An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
A flaw was found in the Automated Certificate Management Environment (ACME) and Simple Certificate Enrollment Protocol (SCEP) provisioner features of Step CA (github.com/smallstep/certificates). This vulnerability allows an authorization bypass vulnerability in Step CA’s ACME and SCEP provisioners where certain authentication tokens are not properly rejected. This allows a remote, unauthenticated attacker to bypass protocol authorization checks and obtain certificates, leading to unauthorize
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-44005 caddy: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [fedora-all]
bugzilla·2026-06-13·CVSS 10.0
CVE-2025-44005 [CRITICAL] CVE-2025-44005 caddy: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [fedora-all]
CVE-2025-44005 caddy: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [fedora-all]
+++ This bug was initially created as a clone of Bug #2423203 +++
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Bugzilla
CVE-2025-44005 github.com/smallstep/certificates: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation
bugzilla·2025-12-17·CVSS 10.0
CVE-2025-44005 [CRITICAL] CVE-2025-44005 github.com/smallstep/certificates: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation
CVE-2025-44005 github.com/smallstep/certificates: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation
An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
Bugzilla
CVE-2025-44005 caddy: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [epel-8]
bugzilla·2025-12-17·CVSS 10.0
CVE-2025-44005 [CRITICAL] CVE-2025-44005 caddy: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [epel-8]
CVE-2025-44005 caddy: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [epel-8]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
Combining this one with bug 2423203.
*** This bug has been marked as a duplicate of bug 2423203 ***
Bugzilla
CVE-2025-44005 caddy: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [epel-all]
bugzilla·2025-12-17·CVSS 10.0
CVE-2025-44005 [CRITICAL] CVE-2025-44005 caddy: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [epel-all]
CVE-2025-44005 caddy: github.com/smallstep/certificates: Authorization bypass allows unauthorized certificate creation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
*** Bug 2423202 has been marked as a duplicate of this bug. ***
Talos
Libbiosig, Grassroot DiCoM, Smallstep step-ca vulnerabilities
blogs_talos·2025-12-17·CVSS 7.4
[HIGH] Libbiosig, Grassroot DiCoM, Smallstep step-ca vulnerabilities
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in Biosig Project Libbiosig, Grassroot DiCoM, and Smallstep step-ca.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy, except for Grassroot, as the DiCoM vulnerabilities are zero-days.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
## Libbiosig vulnerability
Discovered by Mark Bereza of Cisco Talos.
BioSig is an open source software library for biomedical signal processing. The BioSig Project seeks to encourage resear
Talos
Libbiosig, Grassroot DiCoM, Smallstep step-ca vulnerabilities
blogs_talos·2025-12-17·CVSS 7.4
[HIGH] Libbiosig, Grassroot DiCoM, Smallstep step-ca vulnerabilities
## Libbiosig, Grassroot DiCoM, Smallstep step-ca vulnerabilities
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in Biosig Project Libbiosig, Grassroot DiCoM, and Smallstep step-ca.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy , except for Grassroot, as the DiCoM vulnerabilities are zero-days.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org , and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website .
## Libbiosig vulnerability
Discovered by Mark Bereza of Cisco Talos.
BioSig is an open source software library for biome
Wiz
CVE-2025-44005 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-44005 [CRITICAL] CVE-2025-44005 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-44005 :
Wolfi vulnerability analysis and mitigation
An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
Source : NVD
## 10
Score
Published December 17, 2025
Severity CRITICAL
CNA Score 10.0
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
step-certificates
github.com/smallstep/certificates
Sources
NVD
Alpine 3.22, 3.23, edge Severity CRITICAL Has Fix Added at: Dec 07, 2025
Chainguard Has Fix Added at: Dec 07, 2025
Debian 7, 8, 9, 10, 11, 1
2025-12-17
Published