Home

Description

GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. The manifest contains package URLs and SHA-256 hashes but is not digitally signed, so its authenticity relies solely on the underlying TLS channel. In affected versions, TLS certificate validation can be disabled when a proxy is configured, allowing an attacker who can intercept network traffic to supply a malicious update manifest and corresponding package with a matching hash. This can cause the client to download and install a tampered update, resulting in arbitrary code execution with the privileges of the GoSign Desktop user on Windows and macOS, or with elevated privileges on some Linux deployments. A local attacker who can modify proxy settings may also abuse this behavior to escalate privileges by forcing installation of a crafted update.

PUBLISHED Reserved 2025-04-15 | Published 2025-11-18 | Updated 2025-11-18 | Assigner VulnCheck




HIGH: 7.0CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-347 Improper Verification of Cryptographic Signature

Product status

Default status
unknown

Any version before 2.4.1
affected

Timeline

2025-11-14:Researcher publicly discloses vulnerability

Credits

Pasquale "sid" Fiorillo finder

Francesco "ascii" Ongaro finder

Marco Lunardi finder

References

www.ush.it/...bilities-gosign-desktop-remote-code-execution/ exploit

www.ush.it/...n-desktop-esecuzione-remota-codice-arbitrario/ exploit

www.ush.it/...bilities-gosign-desktop-remote-code-execution/ technical-description exploit

infocert.digital/consumer/gosign-suite/ product

www.vulncheck.com/...n-desktop-insecure-update-mechanism-rce third-party-advisory

www.ush.it/...n-desktop-esecuzione-remota-codice-arbitrario/ technical-description exploit

cve.org (CVE-2025-34324)

nvd.nist.gov (CVE-2025-34324)

Download JSON