CVE-2025-23369

High

Published: 21 January 2025

Published

21 January 2025

Modified

05 September 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.1178 93.8th percentile

Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23369 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Github Enterprise Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like the improper cryptographic signature verification in GitHub Enterprise Server via patching to vulnerable versions.

SI-7 Software, Firmware, and Information Integrity good match

preventdetect

Mandates software integrity verification using cryptographic signatures and monitoring for unauthorized changes, directly addressing the signature spoofing vulnerability.

SC-13 Cryptographic Protection good match

prevent

Implements cryptographic mechanisms to protect information integrity, ensuring proper signature verification to prevent spoofing exploited in SAML SSO contexts.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1606.002 SAML Tokens Credential Access

An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.

attack.mitre.org →

Why these techniques?

Improper signature verification in SAML SSO context enables signature spoofing by low-priv users, directly facilitating privilege escalation (T1068) and forging of accepted SAML tokens (T1606.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed signature spoofing for unauthorized internal users. Instances not utilizing SAML single sign-on or where the attacker is not already an existing user were not impacted.…

This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0. This vulnerability was reported via the GitHub Bug Bounty program.

Deeper analysisAI

CVE-2025-23369 is an improper verification of cryptographic signature vulnerability (CWE-347) in GitHub Enterprise Server, enabling signature spoofing. It affects all versions prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0. The issue was reported through the GitHub Bug Bounty program and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited over the network by low-privileged, authenticated users (existing users with low privileges) on GitHub Enterprise Server instances configured with SAML single sign-on. Instances not using SAML SSO or lacking existing users as attackers are unaffected. Successful exploitation allows attackers to spoof signatures, potentially leading to high impacts on confidentiality, integrity, and availability.

Mitigation requires upgrading to GitHub Enterprise Server versions 3.12.14, 3.13.10, 3.14.7, 3.15.2, or 3.16.0, as detailed in the corresponding release notes.