{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-7390","assignerOrgId":"10de8ef9-5c89-4b17-8228-e97b74acf4bd","state":"PUBLISHED","assignerShortName":"Softing","dateReserved":"2025-07-09T13:09:38.988Z","datePublished":"2025-08-21T06:08:00.210Z","dateUpdated":"2026-03-27T08:36:30.497Z"},"containers":{"cna":{"providerMetadata":{"orgId":"10de8ef9-5c89-4b17-8228-e97b74acf4bd","shortName":"Softing","dateUpdated":"2026-03-27T08:36:30.497Z"},"title":"Bypass the client certificate trust check of an opc.https server while only secure communication is allowed","datePublic":"2025-08-14T06:37:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-295","description":"CWE-295 Improper Certificate Validation","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-115","descriptions":[{"lang":"en","value":"CAPEC-115 Authentication Bypass"}]}],"affected":[{"vendor":"Softing","product":"OPC UA C++ SDK","platforms":["Windows","Linux","VxWorks"],"collectionURL":"https://industrial.softing.com/products/opc-ua-and-opc-classic-sdks/opc-ua-c-sdks-for-windows.html","modules":["opc.https server"],"versions":[{"status":"affected","version":"6.40","lessThanOrEqual":"6.80","versionType":"custom"},{"status":"unaffected","version":"6.80.1","versionType":"custom"}],"defaultStatus":"unaffected"},{"vendor":"Softing","product":"edgeConnector","platforms":["Linux"],"collectionURL":"https://industrial.softing.com/de/produkte/docker-container/edgeconnector.html","versions":[{"status":"affected","version":"0","lessThanOrEqual":"2025.03","versionType":"custom"},{"status":"unaffected","version":"SDEX Suite V1.0","versionType":"custom"}],"defaultStatus":"affected"},{"vendor":"Softing","product":"edgeAggregator","platforms":["Linux"],"collectionURL":"https://industrial.softing.com/de/produkte/docker-container/edgeaggregator.html","versions":[{"status":"affected","version":"0","lessThanOrEqual":"2025.03","versionType":"custom"},{"status":"unaffected","version":"SDEX Suite V1.0","versionType":"custom"}],"defaultStatus":"affected"}],"cpeApplicability":[{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:softing:opc_ua_c_sdk:*:*:windows:*:*:*:*:*","versionStartIncluding":"6.40","versionEndIncluding":"6.80"},{"vulnerable":true,"criteria":"cpe:2.3:a:softing:opc_ua_c_sdk:*:*:linux:*:*:*:*:*","versionStartIncluding":"6.40","versionEndIncluding":"6.80"},{"vulnerable":true,"criteria":"cpe:2.3:a:softing:opc_ua_c_sdk:*:*:vxworks:*:*:*:*:*","versionStartIncluding":"6.40","versionEndIncluding":"6.80"},{"vulnerable":false,"criteria":"cpe:2.3:a:softing:opc_ua_c_sdk:6.80.1:*:windows:*:*:*:*:*"},{"vulnerable":false,"criteria":"cpe:2.3:a:softing:opc_ua_c_sdk:6.80.1:*:linux:*:*:*:*:*"},{"vulnerable":false,"criteria":"cpe:2.3:a:softing:opc_ua_c_sdk:6.80.1:*:vxworks:*:*:*:*:*"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:softing:edgeconnector:*:*:linux:*:*:*:*:*","versionStartIncluding":"0","versionEndIncluding":"2025.03"},{"vulnerable":false,"criteria":"cpe:2.3:a:softing:edgeconnector:sdex_suite_v1.0:*:linux:*:*:*:*:*"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:softing:edgeaggregator:*:*:linux:*:*:*:*:*","versionStartIncluding":"0","versionEndIncluding":"2025.03"},{"vulnerable":false,"criteria":"cpe:2.3:a:softing:edgeaggregator:sdex_suite_v1.0:*:linux:*:*:*:*:*"}]}]}],"descriptions":[{"lang":"en","value":"A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication.","supportingMedia":[{"type":"text/html","base64":false,"value":"A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication."}]}],"references":[{"url":"https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html"},{"url":"https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.json"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseSeverity":"CRITICAL","baseScore":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}}],"solutions":[{"lang":"en","value":"OPC UA C++ SDK V6.80.1 Service-Patch","supportingMedia":[{"type":"text/html","base64":false,"value":"OPC UA C++ SDK V6.80.1 Service-Patch<br>"}]},{"lang":"en","value":"edgeAggregator & edgeConnector are now integrated in SDEX Suite: fix with V1.0","supportingMedia":[{"type":"text/html","base64":false,"value":"edgeAggregator &amp; edgeConnector are now integrated in SDEX Suite: fix with V1.0"}]}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-08-21T13:51:51.306799Z","id":"CVE-2025-7390","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-08-21T13:53:15.381Z"}}]}}