CVE-2025-47220
📋 TL;DR
This vulnerability allows admin users in Keyfactor SignServer to enumerate local files by setting the VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH property to arbitrary paths. When the path points to an existing file that isn't a valid image format, the server returns an error confirming the file's existence. This affects SignServer versions prior to 7.3.2.
💻 Affected Systems
- Keyfactor SignServer
📦 What is this software?
Signserver by Keyfactor
⚠️ Risk & Real-World Impact
Worst Case
Admin users could enumerate sensitive system files, configuration files, or credential files, potentially leading to further privilege escalation or data exfiltration.
Likely Case
Admin users with legitimate access could abuse this functionality to confirm existence of specific files they shouldn't have visibility into, violating least privilege principles.
If Mitigated
With proper access controls and monitoring, this would only allow confirmation of file existence without actual file content access.
🎯 Exploit Status
Exploitation requires admin credentials and involves setting the vulnerable property via administrative interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.3.2
Vendor Advisory: https://support.keyfactor.com/hc/en-us/articles/37638761131035-SignServer-CVE-2025-47220-Local-file-enumeration
Restart Required: Yes
Instructions:
1. Download SignServer 7.3.2 from Keyfactor support portal. 2. Backup current configuration and data. 3. Stop SignServer service. 4. Install the update following vendor documentation. 5. Restart SignServer service. 6. Verify functionality.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative access to only trusted personnel and implement strict access controls.
Monitor Property Changes
allImplement logging and monitoring for changes to VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH property.
🧯 If You Can't Patch
- Implement strict least privilege access controls for admin users
- Monitor and audit all administrative actions in SignServer
🔍 How to Verify
Check if Vulnerable:
Check SignServer version via administrative interface or configuration files. Versions below 7.3.2 are vulnerable.Check Version:
Check SignServer version in administrative web interface or review application server logs for version information.Verify Fix Applied:
Verify version is 7.3.2 or higher and test that VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH property validation is enforced.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH property changes
- Error messages related to invalid image paths from PDF/PAdES signers
Network Indicators:
- Multiple administrative API calls setting custom image paths
SIEM Query:
source="signserver" AND ("VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH" OR "invalid image format")