Cyber Posture

CVE-2025-41702

Critical

Published: 26 August 2025

Published
26 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 47.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41702 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Certvde (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-12 (Cryptographic Key Establishment and Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-12 Cryptographic Key Establishment and Management good match
prevent

SC-12 requires establishment and management of cryptographic keys preventing hard-coded secrets like the exposed JWT key used for HS256 token signing.

SI-2 Flaw Remediation good match
preventrecover

SI-2 mandates identification, reporting, and correction of flaws such as the hard-coded JWT secret enabling authentication bypass.

AC-6 Least Privilege good match
prevent

AC-6 enforces least privilege preventing default users from accessing and reading the embedded JWT secret key in the backend.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
attack.mitre.org →
Why these techniques?

Hard-coded JWT secret in public-facing WebGUI directly enables remote forgery of valid auth tokens (T1606) to bypass authentication on an exposed application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key.

Deeper analysisAI

CVE-2025-41702 is a critical vulnerability in the egOS WebGUI backend, where the JWT secret key is hard-coded and embedded in the code, making it readable to the default user. This flaw, classified under CWE-321 (Use of Hard-coded Cryptographic Key), enables the generation of valid HS256 tokens due to the exposed secret, compromising the authentication and authorization mechanisms. The vulnerability was published on 2025-08-26 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated remote attacker can exploit this vulnerability by accessing the exposed JWT secret key from the egOS WebGUI backend and using it to craft arbitrary valid HS256 tokens. Successful exploitation allows the attacker to bypass authentication and authorization controls, potentially gaining full unauthorized access to the system.

Mitigation details are provided in the advisory VDE-2025-076 at https://certvde.com/de/advisories/VDE-2025-076.

Details

CWE(s)
CWE-321

Affected Products

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-44963Shared CWE-321
CVE-2025-26340Shared CWE-321
CVE-2025-15016Shared CWE-321
CVE-2025-34256Shared CWE-321
CVE-2026-22586Shared CWE-321
CVE-2025-11899Shared CWE-321
CVE-2025-57174Shared CWE-321
CVE-2025-62581Shared CWE-321
CVE-2026-26335Shared CWE-321
CVE-2025-8625Shared CWE-321

References