The vulnerability CVE-2025-34324 affects GoSign Desktop versions 2.4.0 and earlier by failing to cryptographically sign the update manifest used for distributing application updates. The manifest includes package URLs and SHA-256 hashes but lacks a digital signature, relying solely on the security of the TLS channel to ensure authenticity. However, when a proxy is configured, the software allows disabling TLS certificate validation, which can be exploited by an attacker capable of intercepting network traffic. Such an attacker can supply a malicious update manifest and a corresponding package with a matching SHA-256 hash, tricking the client into downloading and installing a tampered update. This results in arbitrary code execution with the privileges of the GoSign Desktop user on Windows and macOS, or elevated privileges on certain Linux deployments. Furthermore, a local attacker with the ability to modify proxy settings can abuse this flaw to escalate privileges by forcing the installation of a crafted update. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature) and has a CVSS 4.0 score of 7, indicating high severity. No known exploits have been reported in the wild as of the publication date. The root cause is the lack of a digitally signed update manifest combined with the ability to disable TLS validation, which undermines the integrity and authenticity of software updates.

For European organizations, this vulnerability poses significant risks, especially those relying on GoSign Desktop for digital signature services and document authentication. Successful exploitation can lead to arbitrary code execution, potentially compromising the confidentiality, integrity, and availability of sensitive documents and systems. On Windows and macOS, the attacker gains user-level privileges, which may be sufficient to access sensitive data or disrupt operations. On some Linux deployments, the attacker may achieve elevated privileges, increasing the risk of full system compromise. The ability for a local attacker to escalate privileges by modifying proxy settings further exacerbates the threat, particularly in environments where endpoint security controls are lax. Given that GoSign Desktop is used in legal, financial, and governmental sectors in Europe, exploitation could undermine trust in digital signatures and lead to regulatory compliance issues under GDPR and other data protection laws. The reliance on proxy configurations in corporate networks increases the attack surface, especially in organizations with complex network architectures or remote work setups.

Organizations should immediately audit their GoSign Desktop installations and update to a patched version once available. In the interim, enforce strict TLS certificate validation and disable any option that allows bypassing TLS checks, especially when proxies are in use. Implement network-level protections such as TLS interception detection and restrict proxy configuration changes to trusted administrators only. Digitally signing the update manifest should be prioritized by the vendor to ensure authenticity and integrity of updates. Organizations can also implement application whitelisting and endpoint detection and response (EDR) solutions to detect and block unauthorized code execution. Monitoring network traffic for unusual update requests and verifying update sources can help detect exploitation attempts. Additionally, educating users about the risks of proxy manipulation and ensuring least privilege principles on endpoints can reduce the impact of local attacks. Regular security assessments and penetration testing focusing on update mechanisms and proxy configurations are recommended to identify and remediate weaknesses.