CVE-2025-66406 is an authorization vulnerability classified under CWE-863 found in Step CA, an online certificate authority solution designed for automated certificate management in DevOps environments. Specifically, versions of Step CA before 0.29.0 contain an improper authorization check in the SSH certificate revocation process when configured with the SSHPOP provisioner. The SSHPOP provisioner is used to provision SSH certificates dynamically, facilitating secure and automated SSH access management. Due to the flawed authorization logic, an attacker with elevated privileges (PR:H) but without user interaction (UI:N) can revoke SSH certificates without proper permission validation. This improper revocation can lead to denial of service by invalidating legitimate SSH credentials, impacting system availability and operational continuity. The vulnerability is remotely exploitable over the network (AV:N) but requires high attack complexity (AC:H) and privileges, limiting the ease of exploitation. The CVSS v3.1 score is 5.0, reflecting medium severity with no confidentiality impact, low integrity impact, and high availability impact. The vulnerability was publicly disclosed on December 3, 2025, and fixed in Step CA version 0.29.0. No known exploits have been reported in the wild, but organizations using affected versions with SSHPOP should prioritize patching to prevent potential disruption.

For European organizations, the primary impact of CVE-2025-66406 is on the availability and integrity of SSH certificate-based authentication systems managed by Step CA. Organizations relying on automated SSH certificate provisioning for DevOps workflows, especially those using the SSHPOP provisioner, may face unauthorized revocation of SSH certificates, leading to service disruptions and potential operational downtime. This can affect critical infrastructure, cloud services, and internal network access controls. Although confidentiality is not directly impacted, the loss of availability and integrity can hinder secure access management and delay incident response or maintenance activities. The medium severity rating and requirement for elevated privileges reduce the likelihood of widespread exploitation but do not eliminate risk, especially in environments with multiple administrators or compromised privileged accounts. European sectors such as finance, telecommunications, and government agencies that heavily depend on automated certificate management for secure SSH access could experience operational challenges if this vulnerability is exploited.

European organizations should immediately upgrade Step CA to version 0.29.0 or later to remediate the improper authorization vulnerability. Until patching is complete, restrict access to the Step CA management interfaces and SSHPOP provisioner to trusted administrators only, minimizing the risk of privilege misuse. Implement strict role-based access controls (RBAC) and monitor logs for unusual certificate revocation activities. Conduct audits of SSH certificate revocation events to detect unauthorized actions promptly. Additionally, consider deploying network segmentation to isolate certificate management infrastructure from general user networks. Employ multi-factor authentication (MFA) for privileged accounts managing Step CA to reduce the risk of credential compromise. Finally, maintain an incident response plan that includes steps for rapid certificate re-issuance and recovery in case of unauthorized revocation.