An improper certificate validation vulnerability exists in ToDesktop Builder v0.32.1 This vulnerability allows an unauthenticated, on-path attacker to spoof backend responses by exploiting insufficient certificate validation.
The ToDesktop Builder application does not perform sufficient verification of TLS certificates during communication with backend servers. An attacker in a man-in-the-middle position (on-path attack) can use a forged certificate that will be accepted by the application. This enables impersonation of false backend server responses without the knowledge or consent of the user or administrator.
An attacker can impersonate trusted backend servers, modify data transmitted to the application, and potentially deliver malicious updates or configurations, which may lead to complete takeover of the application building environment (confidentiality, integrity, and availability threatened at high level).
ToDesktop Builder should be updated to a version containing the patch described in the vendor's security bulletin TDSA-2025-001. Details regarding the patched version are available at https://www.todesktop.com/security/advisories/TDSA-2025-001 and in the vendor's changelog.
ToDesktop Builder version v0.32.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTodesktop Builder
APPTodesktop< 0.32.1
Related vulnerabilities
Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers wi...
A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute ...