CVE-2025-65083 identifies an improper certificate validation vulnerability (CWE-295) in Tinexta Infocert's GoSign Desktop software versions up to 2.4.1. The core issue arises when GoSign Desktop is configured to use a proxy server for outbound HTTPS connections. In this configuration, the software disables TLS certificate validation, meaning it does not verify the authenticity or trustworthiness of server certificates presented through the proxy. This behavior can be exploited if a user configures the application to use an arbitrary or malicious proxy server that accepts or forwards HTTPS connections even with invalid or untrusted certificates. Under such circumstances, an attacker controlling the proxy could intercept or manipulate communications, bypassing integrity protections that TLS normally provides. The vulnerability does not affect confidentiality directly but can allow integrity bypass, potentially enabling tampering with signed data or communications. The attack vector is local (AV:L), requiring the attacker to influence proxy settings or have local access to the client environment. The attack complexity is high (AC:H), as it depends on specific proxy configurations and user choices. No privileges or user interaction are required once the proxy is set. The vulnerability is rated low severity with a CVSS 3.1 score of 3.2, reflecting limited impact and exploitation difficulty. Additionally, the advisory notes unsafe practices such as placing the ~/.gosign directory in untrusted user home directories, which could lead to execution of malicious files by other users, compounding risk. No known exploits are reported in the wild, and no patches are currently linked, indicating the need for cautious configuration and monitoring.

For European organizations, especially those using Tinexta Infocert's GoSign Desktop for digital signatures and document authentication, this vulnerability could undermine the integrity of signed documents if exploited. While confidentiality is not directly impacted, the ability to bypass certificate validation can allow attackers to inject or alter data without detection, potentially invalidating trust in digital signatures. This is particularly critical in sectors relying on legally binding electronic signatures such as finance, legal, and government services. The risk is heightened in environments where proxy servers are used for outbound HTTPS traffic and where users might configure proxies without strict validation policies. However, the low CVSS score and high attack complexity suggest that widespread exploitation is unlikely without insider knowledge or control over proxy infrastructure. The vulnerability also highlights the importance of secure user environment management, as improper file permissions could lead to privilege escalation or code execution. Overall, the impact is moderate but could have serious consequences in high-assurance environments.

1. Avoid configuring GoSign Desktop to use untrusted or arbitrary proxy servers. Ensure that proxy servers are managed and trusted within the enterprise network. 2. Verify and enforce TLS certificate validation settings in GoSign Desktop configurations, ensuring SSL_VERIFY_NONE or equivalent disabling of certificate checks is not set. 3. Implement strict network policies that prevent proxy servers from accepting or forwarding HTTPS connections with invalid or untrusted certificates. 4. Secure user home directories by restricting access permissions to the ~/.gosign directory, preventing untrusted users from placing or executing malicious files. 5. Educate users on the risks of configuring proxy settings and the importance of using trusted network infrastructure. 6. Monitor network traffic for unusual proxy usage or certificate validation bypass attempts. 7. Coordinate with Tinexta Infocert for updates or patches addressing this vulnerability once available. 8. Conduct regular security audits of client configurations and proxy server policies to ensure compliance with best practices.