CVE-2025-59270

Summary

psPAS PowerShell module does not explicitly enforce TLS 1.2 within the 'Get-PASSAMLResponse' function during the SAML authentication process. An unauthenticated attacker in a 'Man-in-the-Middle' position could manipulate the TLS handshake and downgrade TLS to a deprecated protocol. Fixed in 7.0.209.

Affected Software

VendorProductVersion RangeStatus
pspetepsPAS6.4.85 < 7.0.209affected
pspetepsPAS7.0.209unaffected

Weaknesses

  • CWE-757: CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References