CVE-2025-59870
Published: 16 January 2026
Summary
CVE-2025-59870 is a high-severity Reusing a Nonce, Key Pair in Encryption (CWE-323) vulnerability in Hcltech Myxalytics. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Forge Web Credentials (T1606); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Static unrotated JWT signing secret directly enables adversaries to forge valid JWT tokens for authentication bypass and impersonation (T1606 Forge Web Credentials).
NVD Description
HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk
Deeper analysisAI
CVE-2025-59870 is a vulnerability in HCL MyXalytics, specifically affecting the web application due to improper management of a static JWT signing secret that lacks rotation, thereby introducing a security risk. Published on 2026-01-16, it carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-323 (Reused Configuration Management Secret).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network, though it demands high attack complexity. Successful exploitation enables high-impact compromise of confidentiality and integrity, such as forging or tampering with JWTs using the static, unrotated signing secret.
HCL provides mitigation guidance in its advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128115.
Details
- CWE(s)