Cyber Resilience

CVE-2025-59870

High

Published: 16 January 2026

Published
16 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0024 14.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-59870 is a high-severity Reusing a Nonce, Key Pair in Encryption (CWE-323) vulnerability in Hcltech Myxalytics. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Forge Web Credentials (T1606); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-59870 is a vulnerability in HCL MyXalytics, specifically affecting the web application due to improper management of a static JWT signing secret that lacks rotation, thereby introducing a security risk. Published on 2026-01-16, it carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-323 (Reused Configuration Management Secret).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network, though it demands high attack complexity. Successful exploitation enables high-impact compromise of confidentiality and integrity, such as forging or tampering with JWTs using the static, unrotated signing secret.

HCL provides mitigation guidance in its advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128115.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

HCL MyXalytics  is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

Static unrotated JWT signing secret directly enables adversaries to forge valid JWT tokens for authentication bypass and impersonation (T1606 Forge Web Credentials).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-52636Same vendor: Hcltech
CVE-2025-52626Same vendor: Hcltech
CVE-2025-55269Same vendor: Hcltech
CVE-2025-52627Same vendor: Hcltech
CVE-2025-52660Same vendor: Hcltech
CVE-2025-31958Same vendor: Hcltech
CVE-2024-42176Same vendor: Hcltech
CVE-2024-30151Same vendor: Hcltech
CVE-2024-42172Same vendor: Hcltech
CVE-2025-52612Same vendor: Hcltech

Affected Assets

hcltech
myxalytics
6.2, 6.3, 6.4, 6.5, 6.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires cryptographic key establishment and management procedures that include rotation of secrets such as the static JWT signing key.

prevent

Mandates secure authenticator management practices that encompass generation, distribution, and rotation of secrets used for authentication tokens like JWTs.

prevent

Requires mechanisms to protect session authenticity, which is undermined when a static unrotated JWT signing secret allows forgery or tampering.

References