CVE-2025-44005
📋 TL;DR
This critical vulnerability in Step CA allows attackers to bypass authorization checks in ACME or SCEP provisioners, enabling unauthorized certificate issuance without completing required protocol authorization. This affects organizations using Step CA for certificate management, particularly those with internet-facing ACME/SCEP endpoints.
💻 Affected Systems
- Step CA (Smallstep Certificate Authority)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain valid certificates for any domain, enabling man-in-the-middle attacks, impersonation of legitimate services, and bypassing security controls that rely on certificate validation.
Likely Case
Unauthorized certificate issuance leading to credential theft, service impersonation, and potential data interception for targeted attacks.
If Mitigated
Limited impact if proper network segmentation, certificate monitoring, and revocation mechanisms are in place.
🎯 Exploit Status
The vulnerability allows bypassing authorization checks without authentication. Exploitation requires network access to the ACME/SCEP endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.27.0 and later
Vendor Advisory: https://github.com/smallstep/certificates/security/advisories/GHSA-h8cp-697h-8c8p
Restart Required: Yes
Instructions:
1. Update Step CA to version 0.27.0 or later. 2. Restart the Step CA service. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Disable ACME/SCEP Provisioners
allTemporarily disable vulnerable ACME and SCEP provisioners until patching is possible
# Edit Step CA configuration to remove or disable ACME/SCEP provisioners
# Restart Step CA service after configuration changes
Network Segmentation
linuxRestrict access to ACME/SCEP endpoints using firewall rules
# Example: Restrict access to specific IP ranges
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach ACME/SCEP endpoints
- Enable detailed certificate issuance logging and monitor for unauthorized certificate requests
🔍 How to Verify
Check if Vulnerable:
Check Step CA version. If running version <0.27.0 with ACME or SCEP provisioners enabled, the system is vulnerable.Check Version:
step-ca --versionVerify Fix Applied:
Verify Step CA version is 0.27.0 or later and test certificate issuance through ACME/SCEP endpoints to ensure proper authorization checks.📡 Detection & Monitoring
Log Indicators:
- Unusual certificate issuance patterns
- Certificate requests bypassing normal authorization flow
- Failed authorization attempts followed by successful issuance
Network Indicators:
- Unusual traffic patterns to ACME/SCEP endpoints
- Certificate requests from unexpected sources
SIEM Query:
source="step-ca" AND (event="certificate_issued" OR event="acme_order") | stats count by src_ip, domain | where count > threshold