CVE-2025-34324 – GoSign Desktop versions 2.4.0 and earlier have ... (How to Fix)

Q: What is the severity of CVE-2025-34324?

CVE-2025-34324 has a CVSS score of 7.8 (HIGH). GoSign Desktop versions 2.4.0 and earlier have an insecure update mechanism that allows attackers to execute arbitrary code. The vulnerability occurs because the update manifest isn't digitally signed, and TLS certificate validation can be disabled when a proxy is configured. This affects all users of vulnerable versions on Windows, macOS, and Linux systems.

📋 TL;DR

GoSign Desktop versions 2.4.0 and earlier have an insecure update mechanism that allows attackers to execute arbitrary code. The vulnerability occurs because the update manifest isn't digitally signed, and TLS certificate validation can be disabled when a proxy is configured. This affects all users of vulnerable versions on Windows, macOS, and Linux systems.

💻 Affected Systems

Products:

GoSign Desktop

Versions: 2.4.0 and earlier

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. Linux deployments may allow privilege escalation to root in some configurations.

📦 What is this software?

Gosign by Infocert

View all CVEs affecting Gosign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution with user privileges (or elevated privileges on Linux), potentially leading to data theft, ransomware deployment, or complete system control.

🟠

Likely Case

Local privilege escalation by attackers who can modify proxy settings, or network-based attacks in environments where TLS interception is possible.

🟢

If Mitigated

Limited to authenticated attackers with network access or local users who can modify proxy configurations.

🌐 Internet-Facing: MEDIUM - Requires proxy configuration or TLS interception, but remote exploitation is possible if those conditions are met.

🏢 Internal Only: HIGH - Internal attackers with network access or ability to modify proxy settings can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires either network interception capability or local access to modify proxy settings. Public technical details are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.1 or later

Vendor Advisory: https://infocert.digital/consumer/gosign-suite/

Restart Required: Yes

Instructions:

1. Download GoSign Desktop version 2.4.1 or later from official vendor site. 2. Install the update. 3. Restart the application. 4. Verify the update was successful by checking the version number.

🔧 Temporary Workarounds

Disable proxy configuration

all

Prevent TLS certificate validation bypass by removing or disabling proxy settings in GoSign Desktop.

Check application settings for proxy configuration and disable it

Network segmentation

all

Isolate GoSign Desktop systems from untrusted networks to prevent traffic interception.

🧯 If You Can't Patch

Remove GoSign Desktop from systems where it's not essential
Implement strict network controls to prevent traffic interception and limit who can modify proxy settings

🔍 How to Verify

Check if Vulnerable:

Check GoSign Desktop version in application settings or About dialog. If version is 2.4.0 or earlier, the system is vulnerable.

Check Version:

On Windows: Check Help > About in GoSign Desktop. On macOS/Linux: Check application menu > About GoSign Desktop.

Verify Fix Applied:

Verify version is 2.4.1 or later in application settings. Check that update manifest validation is now properly implemented.

📡 Detection & Monitoring

Log Indicators:

Unexpected update downloads
Proxy configuration changes
Failed TLS certificate validations
Unusual process execution from GoSign Desktop

Network Indicators:

Unusual update server connections
Manifest downloads from non-standard sources
TLS interception attempts

SIEM Query:

process_name:"GoSign Desktop" AND (event_type:"process_creation" OR event_type:"network_connection") AND (destination_ip NOT IN [official_update_servers] OR proxy_config_changed:true)

📊 Metadata

CVE ID: CVE-2025-34324

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-347

EPSS Score: 0.01% exploit probability (0.4th percentile)

Published: November 18, 2025

Last Updated: December 31, 2025

🔗 References

https://infocert.digital/consumer/gosign-suite/ Product
https://www.ush.it/2025/11/14/multiple-vulnerabilities-gosign-desktop-remote-code-execution/ Exploit,Third Party Advisory
https://www.ush.it/2025/11/14/vulnerabilita-multiple-gosign-desktop-esecuzione-remota-codice-arbitrario/ Exploit,Third Party Advisory
https://www.vulncheck.com/advisories/gosign-desktop-insecure-update-mechanism-rce Third Party Advisory
https://www.ush.it/2025/11/14/multiple-vulnerabilities-gosign-desktop-remote-code-execution/ Exploit,Third Party Advisory
https://www.ush.it/2025/11/14/vulnerabilita-multiple-gosign-desktop-esecuzione-remota-codice-arbitrario/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34324, you might also want to check these: