CVE-2025-11609
Published: 11 October 2025
Summary
CVE-2025-11609 is a low-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Fabian Hospital Management System. Its CVSS base score is 2.9 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2025-11609 affects Hospital Management System 1.0 from code-projects.org, specifically the session function within the express-session component. The vulnerability stems from the use of a hard-coded cryptographic key, which is triggered by manipulating the secret argument with the input "secret". This flaw, associated with CWE-320 (Missing Cryptographic Key Management) and CWE-321 (Use of Hard-coded Cryptographic Key), has a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) and was published on 2025-10-11.
Remote attackers with no required privileges can initiate exploitation over the network, though it demands high complexity and is rated as difficult to exploit. Successful attacks result in low-impact integrity violations, such as potential session tampering or forgery due to the predictable cryptographic key, without affecting confidentiality or availability.
References, including VulDB entries (ctiid.327932, id.327932) and a GitHub disclosure at lakshayyverma/CVE-Discovery, indicate that an exploit has been published and may be used. No specific patch or mitigation details are provided in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-33870
Vulnerability details
A flaw has been found in code-projects Hospital Management System 1.0. Affected is the function session of the component express-session. This manipulation of the argument secret with the input secret causes use of hard-coded cryptographic key . The attack can…
more
be initiated remotely. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been published and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The hardcoded session secret enables exploitation of a public-facing web application (T1190), weakens encryption by reducing key space (T1600.001), and facilitates forging web session cookies for impersonation (T1606.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires proper cryptographic key generation, distribution, and management, eliminating the hard-coded secret that enables session forgery.
Enforces protection of session authenticity, mitigating the integrity impact of predictable hard-coded session secrets.
Mandates secure authenticator management practices that prohibit embedding fixed cryptographic secrets in application code.