CWE-298
Improper Validation of Certificate Expiration
A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.
CVE-2025-4384 (GCVE-0-2025-4384)
Vulnerability from cvelistv5
Published
2025-05-06 15:59
Modified
2025-09-05 16:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-298 - Improper Validation of Certificate Expiration
Summary
The MQTT add-on of PcVue fails to verify that a remote device’s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly.
The use of a client certificate reduces the risk for random devices to take advantage of this flaw.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.pcvue.com/security/#SB2025-3 | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T19:28:43.088933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T19:28:57.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"MQTT add-on"
],
"product": "PcVue",
"vendor": "arcinfo",
"versions": [
{
"status": "unaffected",
"version": "16.3.0",
"versionType": "cpe"
},
{
"lessThan": "16.2.5",
"status": "affected",
"version": "16.0",
"versionType": "cpe"
},
{
"lessThan": "15.2.12",
"status": "affected",
"version": "15.0",
"versionType": "cpe"
}
]
}
],
"datePublic": "2025-05-05T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The MQTT add-on of PcVue fails to verify that a remote device\u2019s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly.\u003cbr\u003e\u003cbr\u003eThe use of a client certificate reduces the risk for random devices to take advantage of this flaw.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The MQTT add-on of PcVue fails to verify that a remote device\u2019s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly.\n\nThe use of a client certificate reduces the risk for random devices to take advantage of this flaw."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No POC available."
}
],
"value": "No POC available."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Not known to be exploited."
}
],
"value": "Not known to be exploited."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-298",
"description": "CWE-298 Improper Validation of Certificate Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T16:38:07.518Z",
"orgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"shortName": "arcinfo"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.pcvue.com/security/#SB2025-3"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cu\u003eHarden the configuration\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eWho should apply this recommendation: All users\u003cbr\u003eThe system operators are highly recommended to take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\u003cbr\u003e\u003cul\u003e\u003cli\u003eUse client certificate when configuring the MQTT add-on.\u003c/li\u003e\u003cli\u003eMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet unless required.\u003c/li\u003e\u003cli\u003eLocate control system networks and remote devices behind firewalls and isolate them from business networks.\u003c/li\u003e\u003cli\u003eWhen remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cb\u003e\u003cu\u003eUpdate PcVue\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eWho should apply this recommendation: All users using the affected component\u003cbr\u003eApply the patch by installing a fixed PcVue version.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cu\u003e\u003cb\u003eAvailable patches:\u003c/b\u003e\u003c/u\u003e\u003cbr\u003eFixed in:\u003cbr\u003e\u003cul\u003e\u003cli\u003ePcVue 16.2.5 and PcVue 16.3.0\u003c/li\u003e\u003cli\u003ePcVue 15.2.12\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "Harden the configuration\nWho should apply this recommendation: All users\nThe system operators are highly recommended to take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n * Use client certificate when configuring the MQTT add-on.\n * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet unless required.\n * Locate control system networks and remote devices behind firewalls and isolate them from business networks.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\n\n\nUpdate PcVue\nWho should apply this recommendation: All users using the affected component\nApply the patch by installing a fixed PcVue version.\n\n\nAvailable patches:\nFixed in:\n * PcVue 16.2.5 and PcVue 16.3.0\n * PcVue 15.2.12"
}
],
"source": {
"advisory": "SB2025-3",
"discovery": "INTERNAL"
},
"title": "Certificate validity not properly verified",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"assignerShortName": "arcinfo",
"cveId": "CVE-2025-4384",
"datePublished": "2025-05-06T15:59:27.839Z",
"dateReserved": "2025-05-06T15:02:58.174Z",
"dateUpdated": "2025-09-05T16:38:07.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59036 (GCVE-0-2025-59036)
Vulnerability from cvelistv5
Published
2025-09-09 22:06
Modified
2025-09-10 19:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-298 - Improper Validation of Certificate Expiration
Summary
Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. This issue is fixed in versions 1.3.9 and 1.4.5. As a workaround, users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/opsmill/infrahub/security/advisories/GHSA-v2p7-4pv4-3wwh | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59036",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T19:30:44.490593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T19:30:55.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "infrahub",
"vendor": "opsmill",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.9"
},
{
"status": "affected",
"version": "\u003e= 1.4.0, \u003c 1.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. This issue is fixed in versions 1.3.9 and 1.4.5. As a workaround, users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-298",
"description": "CWE-298: Improper Validation of Certificate Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T22:06:47.800Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opsmill/infrahub/security/advisories/GHSA-v2p7-4pv4-3wwh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opsmill/infrahub/security/advisories/GHSA-v2p7-4pv4-3wwh"
}
],
"source": {
"advisory": "GHSA-v2p7-4pv4-3wwh",
"discovery": "UNKNOWN"
},
"title": "Infrahub allows authentication with deleted and expired API tokens"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59036",
"datePublished": "2025-09-09T22:06:47.800Z",
"dateReserved": "2025-09-08T16:19:26.171Z",
"dateUpdated": "2025-09-10T19:30:55.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.
Mitigation
Phase: Implementation
Description:
- If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.
No CAPEC attack patterns related to this CWE.