CVE-2025-41702 | THREATINT

Description

The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key.

PUBLISHED Reserved 2025-04-16 | Published 2025-08-26 | Updated 2025-08-26 | Assigner CERTVDE

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-321 Use of Hard-coded Cryptographic Key

Product status

Default status

unaffected

0.0.0 (semver) before v1.7.7

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before v1.7.7

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before v1.7.7

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before v1.7.7

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before v1.7.7

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before v1.7.7

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before v1.7.7

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before v1.7.7

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before v1.7.7

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

Default status

unaffected

0.0.0 (semver) before

affected

v1.8.0 (semver) before v1.8.2

affected

References

certvde.com/de/advisories/VDE-2025-076

cve.org (CVE-2025-41702)

nvd.nist.gov (CVE-2025-41702)

Download JSON