top of page
Search

Multiple Vulnerabilities in GoSign Desktop lead to Remote Attacks

  • Nov 16, 2025
  • 2 min read

Key Findings


  • GoSign Desktop, a widely used electronic signature solution, contains critical vulnerabilities that can lead to remote code execution and privilege escalation.

  • The platform disables TLS certificate validation when configured to use a proxy server, exposing users to man-in-the-middle attacks.

  • The update mechanism relies on an unsigned manifest, allowing an attacker to deliver malicious updates and fully compromise the machine.

  • Sensitive data, such as OAuth secrets and JWT tokens, can be intercepted due to the TLS validation bypass.

  • A local attacker can also escalate privileges on Linux systems by modifying the update configuration.


Background


GoSign is an advanced and qualified electronic signature solution developed by Tinexta InfoCert S.p.A., used by public administrations, businesses, and professionals to manage approval workflows with traceability and security. The SaaS/web version of the product has received the "QC2" qualification from the Italian National Cybersecurity Agency (ACN), certifying its ability to securely handle critical data, including data processed by public administrations.


TLS Verification Bypass


  • The GoSign Desktop process disables TLS certificate validation by invoking `SSL_CTX_set_verify(mode=SSL_VERIFY_NONE)`, nullifying the security properties of the TLS channel.

  • Affected versions: GoSign Desktop 2.4.0 (Windows, Linux, macOS)


Insecure Update Mechanism


  • The update process relies on an unsigned manifest containing the update package URL and hash.

  • A man-in-the-middle attacker can modify the manifest, replace the package, and provide a matching SHA-256 hash, resulting in remote code execution.


Verified Security Impacts


  • OAuth secret leakage

  • Remote code execution

  • Privilege escalation on Linux systems


CVSS 3.1 Score and CWE Mappings


  • CVSS 3.1 Score: 8.2 (High)

  • CWE Mappings:

  • CWE-295: Improper Certificate Validation

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor


Attack Scenarios


1. Man-in-the-Middle (MitM) Attack:


  • When using a proxy, the client's acceptance of self-signed certificates enables the interception of sensitive data, such as OAuth secrets, JWT tokens, and refresh tokens.

  • Attackers can also manipulate the update manifests to deliver malicious updates and gain full system compromise.


2. Privilege Escalation:


  • A local attacker can modify the `~/.gosign/dike.conf` file to force malicious updates and escalate privileges on Linux systems.


Workaround and Vendor Response


  • A fix for the remote code execution and privilege escalation issues was released in GoSign Desktop 2.4.1 on 2025-11-04.

  • However, the TLS certificate validation bypass issue remains unresolved, as the vendor has not restored the default TLS verification behavior when a proxy is configured.

  • The vendor's handling of the responsible disclosure process was not satisfactory, as they ceased communication after the initial call and did not provide a changelog acknowledging the reported vulnerabilities.


Sources


  • https://securityaffairs.com/184672/hacking/multiple-vulnerabilities-in-gosign-desktop-lead-to-remote-code-execution.html

  • https://x.com/securityaffairs/status/1989811740486635605

  • https://x.com/Cyber_O51NT/status/1989894515331604922

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page