CVE-2025-35940 | THREATINT

Description

The ArchiverSpaApi ASP.NET application uses a hard-coded JWT signing key. An unauthenticated remote attacker can generate and use a verifiable JWT token to access protected ArchiverSpaApi URL endpoints.

PUBLISHED Reserved 2025-04-15 | Published 2025-06-10 | Updated 2025-06-11 | Assigner tenable

HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-798 Use of Hard-coded Credentials

Product status

Default status

unaffected

15.7 (semver)

affected

References

www.tenable.com/security/research/tra-2025-17 exploit

www.tenable.com/security/research/tra-2025-17

cve.org (CVE-2025-35940)

nvd.nist.gov (CVE-2025-35940)

Download JSON