Cyber Resilience

CVE-2025-11609

LowPublic PoC

Published: 11 October 2025

Published
11 October 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.9 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 52.5th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11609 is a low-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Fabian Hospital Management System. Its CVSS base score is 2.9 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-11609 affects Hospital Management System 1.0 from code-projects.org, specifically the session function within the express-session component. The vulnerability stems from the use of a hard-coded cryptographic key, which is triggered by manipulating the secret argument with the input "secret". This flaw, associated with CWE-320 (Missing Cryptographic Key Management) and CWE-321 (Use of Hard-coded Cryptographic Key), has a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) and was published on 2025-10-11.

Remote attackers with no required privileges can initiate exploitation over the network, though it demands high complexity and is rated as difficult to exploit. Successful attacks result in low-impact integrity violations, such as potential session tampering or forgery due to the predictable cryptographic key, without affecting confidentiality or availability.

References, including VulDB entries (ctiid.327932, id.327932) and a GitHub disclosure at lakshayyverma/CVE-Discovery, indicate that an exploit has been published and may be used. No specific patch or mitigation details are provided in the available information.

EU & UK References

Vulnerability details

A flaw has been found in code-projects Hospital Management System 1.0. Affected is the function session of the component express-session. This manipulation of the argument secret with the input secret causes use of hard-coded cryptographic key . The attack can…

more

be initiated remotely. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been published and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1600.001 Reduce Key Space Defense Impairment
Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.
T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
Why these techniques?

The hardcoded session secret enables exploitation of a public-facing web application (T1190), weakens encryption by reducing key space (T1600.001), and facilitates forging web session cookies for impersonation (T1606.001).

CVEs Like This One

CVE-2026-0568Same vendor: Fabian
CVE-2026-0576Same vendor: Fabian
CVE-2026-0606Same vendor: Fabian
CVE-2026-2196Same vendor: Fabian
CVE-2026-1422Same vendor: Fabian
CVE-2026-2174Same vendor: Fabian
CVE-2026-2220Same vendor: Fabian
CVE-2026-0578Same vendor: Fabian
CVE-2026-2176Same vendor: Fabian
CVE-2026-2173Same vendor: Fabian

Affected Assets

fabian
hospital management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires proper cryptographic key generation, distribution, and management, eliminating the hard-coded secret that enables session forgery.

prevent

Enforces protection of session authenticity, mitigating the integrity impact of predictable hard-coded session secrets.

prevent

Mandates secure authenticator management practices that prohibit embedding fixed cryptographic secrets in application code.

References