CVE-2025-26787

#!/bin/bash # CVE-2025-26787 PoC - Keyfactor SignServer Access Control Bypass # This PoC demonstrates the configuration reset behavior # Prerequisites: # 1. Valid client authentication certificate trusted by SignServer # 2. Access to SignServer container environment # Step 1: Connect to SignServer with valid client certificate # SignServer CLI command to check current access policy CLI_CMD="/opt/signserver/bin/signserver cliclient.sh" # Step 2: Check access policy before container restart echo "[+] Checking access policy before restart..." $CLI_CMD getprop global allowAnyClientCertAccess # Step 3: Set restrictive access policy (as admin would do) echo "[+] Setting restrictive access policy..." $CLI_CMD setprop global allowAnyClientCertAccess false # Step 4: Verify restrictive policy is applied echo "[+] Verifying restrictive policy..." $CLI_CMD getprop global allowAnyClientCertAccess # Step 5: Simulate container restart (trigger the bug) echo "[!] Simulating container restart - policy will be reset..." docker restart signserver-container # Step 6: Check policy after restart - it will be reset to 'true' echo "[+] Checking access policy after restart..." $CLI_CMD getprop global allowAnyClientCertAccess # Expected result: allowAnyClientCertAccess is 'true' (vulnerable state) echo "[+] If allowAnyClientCertAccess=true, vulnerability is present"

{"cve": {"id": "CVE-2025-26787", "sourceIdentifier": "[email protected]", "published": "2025-12-22T19:15:48.630", "lastModified": "2026-01-05T17:48:54.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An error in the SignServer container startup logic was found in Keyfactor SignServer versions prior to 7.2. The Admin CLI command used to configure Certificate access to the initial startup of the container sets a property of \"allowany\" to allow any user with a valid and trusted client auth certificate to connect. Admins can then set more restricted access to specific certificates. A logic error caused this admin CLI command to be run on each restart of the container instead of only the first startup as intended resetting the configuration to \"allowany\"."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-642"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:keyfactor:signserver:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2", "matchCriteriaId": "607EC7CA-24F9-40C7-9C10-26943CFCB6A1"}]}]}], "references": [{"url": "https://docs.keyfactor.com/signserver/latest/signserver-7-2-release-notes", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://support.keyfactor.com/hc/en-us/articles/33997706776987-SignServer-security-advisory-Container-vulnerability-CVE-2025-26787-fixed-in-version-7-2", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}