GoSign Desktop Flaws Enable RCE via TLS Bypass and Fake Updates
Category:Threat Alerts
Critical flaws in GoSign Desktop 2.4.0 disable TLS certificate validation when using a proxy, allowing attackers to intercept OAuth secrets, JWT tokens, and update manifests. The unsigned update mechanism enables remote code execution by replacing update packages with malicious payloads. Mapped to T1190 (Exploit Public-Facing Application) and T1059 (Command Execution), these flaws expose systems across Windows, Linux, and macOS. Researchers confirmed privilege escalation on Linux and full compromise via malicious updates. Although version 2.4.1 partially fixes issues, TLS bypass remains unresolved. Vendor communication stalled despite a coordinated disclosure effort. Over a million users—including EU public-sector agencies—depend on GoSign Desktop for critical document workflows, increasing risk of data compromise and system takeover.
CORTEX Protocol Intelligence Assessment
Business Impact: Public-sector and enterprise users face high compromise risk through manipulated updates, potentially breaching regulated workflows and sensitive document approval chains. Technical Context: Attackers exploit disabled TLS verification to manipulate update manifests and deliver arbitrary code. Privilege escalation on Linux broadens post-exploitation reach.
Strategic Intelligence Guidance
- Upgrade to GoSign Desktop 2.4.1 immediately.
- Block unsigned update channels and enforce certificate pinning.
- Monitor for unauthorized config changes and update triggers.
- Segment GoSign systems to limit compromise scope.
Vendors
Targets
Intelligence Source: GoSign Desktop Flaws Enable RCE via TLS Bypass and Fake Updates | Nov 16, 2025