CVE-2025-56749

CriticalPublic PoC

Published: 15 October 2025

Published

15 October 2025

Modified

21 October 2025

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0013 31.9th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56749 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Creativeitem Academy Lms. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, testing, and installation of patches to remediate flaws like the hardcoded default JWT secret enabling token forgery.

SC-12 Cryptographic Key Establishment and Management good match

prevent

Mandates secure establishment, distribution, and management of cryptographic keys, preventing use of predictable hardcoded secrets for JWT token signing.

IA-5 Authenticator Management good match

prevent

Requires changing default authenticators prior to first use and protecting authenticator content, directly countering hardcoded predictable JWT secrets used in authentication.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1606 Forge Web Credentials Credential Access

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.

attack.mitre.org →

Why these techniques?

Hardcoded predictable JWT secret enables remote unauthenticated attackers to forge authentication tokens, directly facilitating exploitation of a public-facing web application (T1190) and forging web credentials such as tokens (T1606).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account.

Deeper analysisAI

CVE-2025-56749, published on 2025-10-15, affects Creativeitem Academy LMS versions up to and including 6.14. The vulnerability involves the use of a hardcoded default JWT secret for token signing, which is predictable and enables attackers to forge valid JWT tokens. This flaw, mapped to CWE-798 (Use of Hard-coded Credentials), carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), highlighting its critical impact on confidentiality, integrity, and limited availability.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By leveraging the known JWT secret, they can craft arbitrary tokens to bypass authentication, resulting in unauthorized access to any user account within the LMS.

Advisories and mitigation details are provided in the referenced source at https://suryadina.com/academy-lms-jwt-secret-7k9m2x4p8q/, which security practitioners should review for patching recommendations and remediation steps.