Cyber Resilience

CVE-2025-23369

High

Published: 21 January 2025

Published
21 January 2025
Modified
05 September 2025
KEV Added
Patch
CVSS Score v4 7.6 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1178 93.9th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23369 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Github Enterprise Server. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Deeper analysis

An improper verification of cryptographic signature vulnerability, tracked as CVE-2025-23369 and assigned CWE-347, was identified in GitHub Enterprise Server. The flaw permitted signature spoofing by unauthorized internal users and affected all versions prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0. Instances that did not use SAML single sign-on, or where the attacker was not already an existing user, were not impacted. The issue was reported through the GitHub Bug Bounty program and carries a CVSS 4.0 score of 7.6.

The vulnerability could be exploited over the network by an authenticated user with low privileges in a SAML SSO environment. Successful exploitation enabled spoofing of cryptographic signatures, resulting in high impact to confidentiality and integrity along with limited impact to availability.

Release notes for the fixed versions document that administrators should upgrade GitHub Enterprise Server to 3.12.14, 3.13.10, 3.14.7, 3.15.2, or 3.16.0 to address the issue. The associated EPSS score reached a peak of 0.1239 with a current value of 0.1178.

EU & UK References

Vulnerability details

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed signature spoofing for unauthorized internal users. Instances not utilizing SAML single sign-on or where the attacker is not already an existing user were not impacted.…

more

This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0. This vulnerability was reported via the GitHub Bug Bounty program.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1606.002 SAML Tokens Credential Access
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.
Why these techniques?

Improper signature verification in SAML SSO context enables signature spoofing by low-priv users, directly facilitating privilege escalation (T1068) and forging of accepted SAML tokens (T1606.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5845Same product: Github Enterprise Server
CVE-2026-0573Same product: Github Enterprise Server
CVE-2026-3854Same product: Github Enterprise Server
CVE-2024-10001Same product: Github Enterprise Server
CVE-2026-5921Same product: Github Enterprise Server
CVE-2026-20965Shared CWE-347
CVE-2026-3562Shared CWE-347
CVE-2025-36418Shared CWE-347
CVE-2026-1529Shared CWE-347
CVE-2025-20206Shared CWE-347

Affected Assets

github
enterprise server
≤ 3.12.14 · 3.13.0 — 3.13.10 · 3.14.0 — 3.14.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws like the improper cryptographic signature verification in GitHub Enterprise Server via patching to vulnerable versions.

preventdetect

Mandates software integrity verification using cryptographic signatures and monitoring for unauthorized changes, directly addressing the signature spoofing vulnerability.

prevent

Implements cryptographic mechanisms to protect information integrity, ensuring proper signature verification to prevent spoofing exploited in SAML SSO contexts.

References