CVE-2025-30064
Published: 27 August 2025
Summary
CVE-2025-30064 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Cert (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, ranked at the 2.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27774
- 🇵🇱 CERT-PL: cert.pl
Vulnerability details
An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the "ex:action" parameter in the VerifyUserByThrustedService function…
more
to generate a session for any user.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.
Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.
Documenting every system component at the required granularity and reviewing the inventory detects or prevents hidden functionality from remaining undetected.
Recovery eliminates hidden functionality or backdoors introduced during compromise.
Policy requires supplier transparency and testing to detect hidden functionality or backdoors inserted in the supply chain.
Screening high-risk technical positions lowers the probability that hidden functionality or backdoors will be added by authorized personnel.
Hunting identifies hidden functionality used for persistence or evasion after initial compromise.
TSCM surveys discover and eliminate hidden surveillance functionality that would otherwise remain undetected in the environment.