Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter

News

SBA Security Advisory – Cyberduck and Mountain Duck – Weak Hash Algorithm for Certificate Fingerprint (CVE-2025-41256)

Vulnerability Overview

Cyberduck and Mountain Duck improper handle TLS certificate pinning for untrusted certificates (e.g., self-signed), since the certificate’s fingerprint is stored as SHA-1, although SHA-1 is considered weak and should be replaced with SHA-256 or SHA-512.

  • Type of Vulnerability: CWE-328: Use of Weak Hash
  • Fixed in Version: Cyberduck 9.1.7 and Mountain Duck 4.17.6
  • CVE ID: CVE-2025-41256
  • CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
  • CVSS Base Score: 7.4 (High)

Recommended Countermeasure

We recommend to update to Cyberduck version 9.1.7 / Mountain Duck version 4.17.6 or later.

Links

Full Security Advisory

Credits

Andreas Boll (SBA Research)
Thomas Kostal (SBA Research)