CVE-2025-59270 is a vulnerability identified in the psPAS PowerShell module developed by pspete, specifically affecting version 6.4.85. The issue arises in the 'Get-PASSAMLResponse' function, which handles SAML authentication. This function does not explicitly enforce the use of TLS 1.2 or higher during the TLS handshake process. As a result, an unauthenticated attacker positioned as a Man-in-the-Middle (MitM) can manipulate the TLS negotiation to downgrade the connection to a less secure, deprecated protocol version (e.g., TLS 1.0 or 1.1). This algorithm downgrade attack (CWE-757) weakens the cryptographic protections of the session, potentially exposing sensitive authentication tokens or session data to interception or tampering. However, the vulnerability does not directly allow for integrity or availability compromise, nor does it require user interaction or authentication to exploit. The vendor has addressed this issue in version 7.0.209 by enforcing TLS 1.2 or higher during the handshake, mitigating the downgrade risk. The CVSS v3.1 base score is 3.1, reflecting a low severity primarily due to the complexity of attack (high attack complexity) and limited impact (confidentiality impact only, no integrity or availability impact). No known exploits are currently reported in the wild.

For European organizations, this vulnerability poses a moderate confidentiality risk during the SAML authentication process when using the affected psPAS module version. Since psPAS is a PowerShell module used for privileged access management and automation, interception of authentication tokens or session data could lead to unauthorized access if attackers successfully downgrade TLS and capture sensitive information. However, the low CVSS score and absence of known exploits suggest limited immediate risk. Organizations relying on psPAS for critical identity and access management workflows may face increased exposure to MitM attacks on internal networks or less secure environments where TLS downgrade is feasible. The impact is more pronounced in sectors with stringent compliance requirements for secure authentication, such as finance, healthcare, and government. The vulnerability does not affect integrity or availability directly but could facilitate further attacks if attackers obtain authentication credentials or tokens.

European organizations should upgrade psPAS to version 7.0.209 or later, where TLS 1.2 enforcement is implemented to prevent downgrade attacks. Until upgrade, network-level mitigations include enforcing strict TLS policies on endpoints and network devices, disabling deprecated TLS versions (1.0 and 1.1) across the environment, and deploying TLS inspection tools to detect downgrade attempts. Additionally, organizations should monitor network traffic for unusual TLS negotiation patterns indicative of MitM attacks. Employing network segmentation and zero-trust principles can limit exposure of authentication traffic to untrusted networks. Regularly auditing PowerShell modules and scripts for outdated dependencies and enforcing secure coding practices around authentication workflows will reduce similar risks. Finally, educating security teams about the risks of algorithm downgrade attacks and ensuring incident response plans include TLS-related attack scenarios will improve preparedness.