CVE-2025-7390 - Vulnerability Details - OpenCVE

A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Softing	Edgeaggregator Edgeconnector Opc

No data.

No data.

References

Link	Providers
https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html
https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.json

History

Thu, 21 Aug 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 21 Aug 2025 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Softing Softing edgeaggregator Softing edgeconnector Softing opc
Vendors & Products		Softing Softing edgeaggregator Softing edgeconnector Softing opc

Thu, 21 Aug 2025 06:15:00 +0000

Type	Values Removed	Values Added
Description		A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication.
Title		Bypass the client certificate trust check of an opc.https server while only secure communication is allowed
Weaknesses		CWE-295
References		https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.json
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Softing

Published: 2025-08-21T06:08:00.210Z

Updated: 2025-08-21T13:53:15.381Z

Reserved: 2025-07-09T13:09:38.988Z

Link: CVE-2025-7390

Vulnrichment

Updated: 2025-08-21T13:51:57.325Z

NVD

Status : Received

Published: 2025-08-21T06:15:35.157

Modified: 2025-08-21T06:15:35.157

Link: CVE-2025-7390

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-7390", "assignerOrgId": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "state": "PUBLISHED", "assignerShortName": "Softing", "dateReserved": "2025-07-09T13:09:38.988Z", "datePublished": "2025-08-21T06:08:00.210Z", "dateUpdated": "2025-08-21T13:53:15.381Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://industrial.softing.com/products/opc-ua-and-opc-classic-sdks/opc-ua-c-sdks-for-windows.html", "defaultStatus": "unaffected", "modules": ["opc.https server"], "platforms": ["Windows", "Linux", "VxWorks"], "product": "OPC UA C++ SDK", "vendor": "Softing Industrial Automation GmbH", "versions": [{"changes": [{"at": "6.80.1", "status": "unaffected"}], "lessThanOrEqual": "6.80", "status": "affected", "version": "6.40", "versionType": "custom"}]}, {"collectionURL": "https://industrial.softing.com/de/produkte/docker-container/edgeconnector.html", "defaultStatus": "affected", "platforms": ["Linux"], "product": "edgeConnector", "vendor": "Softing Industrial Automation GmbH", "versions": [{"lessThanOrEqual": "2025.03", "status": "affected", "version": "0", "versionType": "custom"}]}, {"collectionURL": "https://industrial.softing.com/de/produkte/docker-container/edgeaggregator.html", "defaultStatus": "affected", "platforms": ["Linux"], "product": "edgeAggregator", "vendor": "Softing Industrial Automation GmbH", "versions": [{"lessThanOrEqual": "2025.03", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2025-08-14T06:37:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication."}], "value": "A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "shortName": "Softing", "dateUpdated": "2025-08-21T06:08:00.210Z"}, "references": [{"tags": ["x_html"], "url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html"}, {"tags": ["x_json"], "url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.json"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "OPC UA C++ SDK V6.80.1 Service-Patch<br>"}], "value": "OPC UA C++ SDK V6.80.1 Service-Patch"}], "source": {"discovery": "UNKNOWN"}, "title": "Bypass the client certificate trust check of an opc.https server while only secure communication is allowed", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-21T13:51:51.306799Z", "id": "CVE-2025-7390", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T13:53:15.381Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7390", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-21T13:51:51.306799Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T13:51:57.325Z"}}], "cna": {"title": "Bypass the client certificate trust check of an opc.https server while only secure communication is allowed", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Softing Industrial Automation GmbH", "modules": ["opc.https server"], "product": "OPC UA C++ SDK", "versions": [{"status": "affected", "changes": [{"at": "6.80.1", "status": "unaffected"}], "version": "6.40", "versionType": "custom", "lessThanOrEqual": "6.80"}], "platforms": ["Windows", "Linux", "VxWorks"], "collectionURL": "https://industrial.softing.com/products/opc-ua-and-opc-classic-sdks/opc-ua-c-sdks-for-windows.html", "defaultStatus": "unaffected"}, {"vendor": "Softing Industrial Automation GmbH", "product": "edgeConnector", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2025.03"}], "platforms": ["Linux"], "collectionURL": "https://industrial.softing.com/de/produkte/docker-container/edgeconnector.html", "defaultStatus": "affected"}, {"vendor": "Softing Industrial Automation GmbH", "product": "edgeAggregator", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2025.03"}], "platforms": ["Linux"], "collectionURL": "https://industrial.softing.com/de/produkte/docker-container/edgeaggregator.html", "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "OPC UA C++ SDK V6.80.1 Service-Patch", "supportingMedia": [{"type": "text/html", "value": "OPC UA C++ SDK V6.80.1 Service-Patch<br>", "base64": false}]}], "datePublic": "2025-08-14T06:37:00.000Z", "references": [{"url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html", "tags": ["x_html"]}, {"url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.json", "tags": ["x_json"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication.", "supportingMedia": [{"type": "text/html", "value": "A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "shortName": "Softing", "dateUpdated": "2025-08-21T06:08:00.210Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7390", "state": "PUBLISHED", "dateUpdated": "2025-08-21T13:53:15.381Z", "dateReserved": "2025-07-09T13:09:38.988Z", "assignerOrgId": "10de8ef9-5c89-4b17-8228-e97b74acf4bd", "datePublished": "2025-08-21T06:08:00.210Z", "assignerShortName": "Softing"}, "dataVersion": "5.1"}