EXECUTIVE SUMMARY:
A critical security flaw has been found in Step CA that allows attackers to bypass authorization checks. The issue affects the ACME and SCEP provisioners, which handle automated certificate requests. This flaw could let an unauthenticated remote attacker issue fake certificates or reach restricted parts of the CA system. Although there is no sign of active attacks yet, full technical details are being held back to prevent misuse while administrators patch their systems.
CVE-2025-44005: This CVE describes a failure in the authorization checks inside Step CA’s ACME and SCEP components. These parts are responsible for managing automated issuance of X.509 and SSH certificates. Due to the flaw, the system does not properly confirm if a request is legitimate, allowing attackers to act as trusted users. This can result in fraudulent certificates being issued or unauthorized access to CA infrastructure.
RECOMMENDATION:
We strongly recommend you upgrade to Step CA to version v0.29.0 or later.
REFERENCES:
The following reports contain further technical details: