Cyber Resilience

CVE-2024-53356

CriticalPublic PoC

Published: 31 January 2025

Published
31 January 2025
Modified
23 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0091 76.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53356 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Easyvirt Co2Scope. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 23.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Deeper analysis

CVE-2024-53356 is a weak JWT secret vulnerability affecting EasyVirt DCScope versions up to and including 8.6.0 and CO2Scope versions up to and including 1.3.0. The issue stems from a hardcoded HMAC secret, specifically "somerandomaccesstoken", used for generating JSON Web Tokens (JWTs). This predictable secret enables attackers to forge valid tokens, leading to privilege escalation within the application.

Remote attackers can exploit this vulnerability without authentication, as indicated by its CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting JWTs with the known secret, unauthenticated adversaries gain unauthorized access to sensitive information and perform privileged actions, potentially compromising the full confidentiality, integrity, and availability of the affected systems.

Advisories detailing the vulnerability, including potential mitigation steps, are available in the referenced GitHub repository at https://github.com/Elymaro/CVE/blob/main/EasyVirt/CVE-2024-53356.md. The issue is classified under CWE-798 (Use of Hard-coded Credentials).

EU & UK References

Vulnerability details

Weak JWT Secret vulnerabilitiy in EasyVirt DCScope <= 8.6.0 and CO2Scope <= 1.3.0 allows remote attackers to generate JWT for privilege escalation. The HMAC secret used for generating tokens is hardcoded as "somerandomaccesstoken". A weak HMAC secret poses a risk…

more

because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

Weak hardcoded JWT secret enables remote unauthenticated attackers to forge valid tokens for privilege escalation in a likely public-facing web application, facilitating exploitation of public-facing applications, exploitation for privilege escalation, and forging web credentials.

CVEs Like This One

CVE-2024-53357Same product: Easyvirt Co2Scope
CVE-2024-55062Same product: Easyvirt Co2Scope
CVE-2024-57587Same product: Easyvirt Co2Scope
CVE-2024-53355Same product: Easyvirt Co2Scope
CVE-2025-56749Shared CWE-798
CVE-2025-69971Shared CWE-798
CVE-2025-33222Shared CWE-798
CVE-2025-42890Shared CWE-798
CVE-2020-36911Shared CWE-798
CVE-2026-35503Shared CWE-798

Affected Assets

easyvirt
co2scope
≤ 1.3.0
easyvirt
dcscope
≤ 8.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of software flaws such as hardcoded weak JWT secrets, directly preventing exploitation for privilege escalation.

prevent

Mandates establishment and management of cryptographic keys like HMAC secrets with sufficient strength, preventing attackers from forging valid JWTs.

prevent

Enforces management of authenticators with adequate strength of mechanism, prohibiting hardcoded weak secrets used in JWT generation.

References