Pierluigi Paganini
November 15, 2025
GoSign is an advanced and qualified electronic signature solution developed by Tinexta InfoCert S.p.A., used by public administrations, businesses, and professionals to manage approval workflows with traceability and security.
The SaaS/web version of the product has received the “QC2” qualification from the Italian National Cybersecurity Agency (ACN).
The QC2 qualification certifies a service’s ability to securely handle critical data, including data processed by public administrations. Under ACN’s regulation effective from August 1, 2024, cloud service providers for public entities must meet strict security and resilience requirements. This qualification enables public administrations to adopt certified solutions for safeguarding sensitive data and ensuring continuity of essential services.
GoSign Desktop, subject of this advisory, is the on-premise version released for Microsoft Windows, Linux Ubuntu, and Apple macOS.
We have identified a critical vulnerability in the GoSign Desktop software, developed by Tinexta InfoCert. The platform is widely used for signing, verifying, and managing electronic documents. In 2021 alone, it was used by 1.6 million people to perform over 830 million signing transactions, confirming its central role in the Italian and European digital ecosystem.
GoSign Desktop disables TLS certificate validation (SSL_VERIFY_NONE) when configured to use a proxy server, removing any assurance regarding server identity during encrypted communications. This exposes users to MitM attacks.
Additionally, the update mechanism relies on an unsigned manifest, meaning all security depends on TLS—which is not validated.
The GoSignDesktop process, through libdgsapi.so and libcurl.so, disables TLS certificate validation by invoking:
SSL_CTX_set_verify(mode=SSL_VERIFY_NONE)
This nullifies the security properties of the TLS channel.
Vulnerable versions:
The update process relies on an unsigned manifest containing the update package URL and hash. A MitM attacker can:
This results in remote code execution.
The issue was reported to ACN/CSIRT Italia due to severity.
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HWhen using a proxy, client acceptance of self-signed certificates enables interception of:
Attackers can gain full system compromise.
A local attacker can modify:
~/.gosign/dike.conf
to force malicious updates and escalate privileges.
Proof of Concept Video:
https://www.ush.it/team/ush/hack-gosign-desktop_240/gosigndesktop_mitm_poc.mp4
PoC Exploit:
https://www.ush.it/team/ush/hack-gosign-desktop_240/
TLS certificate validation remains disabled when a proxy is configured.
Following the initial contact, the vendor received all technical details about the vulnerability, including the Proof of Concept (PoC) and mitigation suggestions — both via encrypted email and during a Teams call requested by the vendor on 2025-10-16 at 15:00.
Attending the call were the InfoCert security officer and the GoSign Desktop product manager. During the meeting, the vendor confirmed the vulnerability and agreed that October 31, 2025 was a reasonable deadline for releasing a fix.
After this call:
On 2025-11-04, the fix was released silently, without any announcement and without honoring the request to include a changelog acknowledgment.
ACN/CSIRT Italia was notified regarding the vendor’s improper adherence to responsible disclosure best practices.
Mitre is currently unresponsive.
2025-10-03: Vulnerability discovered
2025-10-04: Proof of Concept developed
2025-10-04: Initial contact attempt to InfoCert S.p.A.
2025-10-04: Concurrent notification sent to ACN/CSIRT Italia
2025-10-04: Response from ACN/CSIRT Italia acknowledging receipt and awaiting further developments
2025-10-07: Response from InfoCert Cyber Security Operation
2025-10-07: Technical details and evidence shared with the vendor
2025-10-09: InfoCert acknowledges the report and states the issue is under investigation
2025-10-16: Technical call with InfoCert; vulnerability confirmed; over 1 million users affected. Full technical details and remediation suggestions shared
2025-10-26: Follow-up request for update sent to vendor; no response received
2025-11-04: Version 2.4.1 released; no communication or changelog from the vendor
2025-11-08: Further request for explanation and update sent; no response
2025-11-14: Report submitted to ACN/CSIRT Italia regarding mishandling of the disclosure process
2025-11-14: Advisory published
Technical details are available here:
https://www.ush.it/team/ush/hack-gosign-desktop_240/gosign-desktop-exec.txt
About the author:
Pasquale “Sid” Fiorillo is credited with the discovery of this vulnerability with the contribution of Francesco “ascii” Ongaro and Marco Lunardi.
Pasquale “sid” Fiorillo
web site: http://www.ush.it/
mail: sid AT ush DOT it
Francesco “ascii” Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, GoSign)
Security / November 14, 2025
Security / November 14, 2025
