Critical Step CA Flaw (CVE-2025-44005, CVSS 10.0) Allows Unauthenticated Bypass to Issue Fraudulent Certificates
Ddos 
A critical security vulnerability has been identified in Step CA, a popular online Certificate Authority tool used by developers to secure automated workflows. The flaw, which carries a perfect CVSS severity score of 10, could allow attackers to bypass authorization checks, potentially issuing fraudulent certificates or accessing restricted areas of the CA infrastructure.
The vulnerability, tracked as CVE-2025-44005, resides in the Automated Certificate Management Environment (ACME) and Simple Certificate Enrollment Protocol (SCEP) provisioners.
These components are essential for Step CA’s functionality, handling the automated issuance and management of X.509 and SSH certificates. According to the advisory, the flaw is an “Authorization Bypass in ACME and SCEP Provisioners,” meaning the security gates designed to verify legitimate requests effectively fail to close.
A CVSS score of 10 indicates a catastrophic risk level—typically implying that an unauthenticated remote attacker can exploit the system with low complexity and no user interaction. While the specific technical details are currently being withheld to protect users, the advisory confirms that the issue was “discovered and disclosed by a research team during a security review”.
Fortunately, there is currently “no evidence of active exploitation” in the wild. To maintain this status, Smallstep Labs has chosen to “withholding detailed technical information for now” to give administrators time to patch before the exploit methodology becomes public knowledge.
The flaw was identified by Stephen Kubik of the Cisco Advanced Security Initiatives Group (ASIG). A full technical write-up is expected to be published in the coming weeks once a sufficient number of deployments have been secured.
The maintainers of Step CA are urging all users to update immediately. The vulnerability is patched in the latest release.
“All operators running these provisioners should upgrade to the latest release (v0.29.0) immediately,” the advisory warns.
Related Posts:
- Microsoft Releases PowerShell Script for UEFI Certificate Update
- Catastrophic React Flaw (CVE-2025-55182, CVSS 10.0) Allows Unauthenticated RCE on Next.js and Server Components
- The PDF Trap: Critical Vulnerability (CVE-2025-66516, CVSS 10.0) Hits Apache Tika Core
- Cloudflare 1.1.1.1 Hit by 12 Unauthorized Certificates: Fina CA’s Misissuance Raises Microsoft Trust Concerns
- Apple to distrust Symantec certificate authorities
Donate