Cyber Resilience

CVE-2025-70041

Critical

Published: 11 March 2026

Published
11 March 2026
Modified
10 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 35.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-70041 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SA-15 (Development Process, Standards, and Tools).

Deeper analysis

CVE-2025-70041, published on 2026-03-11, involves a use of hard-coded password issue (CWE-259) discovered in the master branch of oslabs-beta ThermaKube. This vulnerability affects the ThermaKube software component developed by oslabs-beta, earning a critical CVSS v3.1 base score of 9.8 due to its severe impact potential.

The vulnerability enables exploitation over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing scope (S:U). Attackers can achieve high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H), potentially allowing unauthorized access to sensitive functions, data exfiltration, system modification, or denial of service on affected ThermaKube instances.

References for further details include a GitHub Gist at https://gist.github.com/zcxlighthouse/cbd6fd6ca486460573e0611ee547f763, the oslabs-beta organization page at https://github.com/oslabs-beta, and the ThermaKube repository at https://github.com/oslabs-beta/ThermaKube. No specific mitigation steps or patches are outlined in the available CVE information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue pertaining to CWE-259: Use of Hard-coded Password was discovered in oslabs-beta ThermaKube master.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Hard-coded password directly enables use of valid accounts for remote unauthorized access (T1078) to a publicly exposed application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-11126Shared CWE-259
CVE-2025-27638Shared CWE-259
CVE-2026-7579Shared CWE-259
CVE-2025-46067Shared CWE-259
CVE-2025-59388Shared CWE-259
CVE-2025-1100Shared CWE-259
CVE-2025-2402Shared CWE-259
CVE-2025-8730Shared CWE-259
CVE-2026-7251Shared CWE-259
CVE-2025-25428Shared CWE-259

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires proper management of authenticators including prohibiting hard-coded passwords through secure distribution, rotation, and protection to prevent unauthorized access.

prevent

SA-15 mandates developer use of standards, tools, and processes such as secure coding practices and code reviews that prohibit embedding hard-coded passwords in software like ThermaKube.

detectrespondrecover

SI-2 ensures flaws like the hard-coded password in CVE-2025-70041 are identified, prioritized, and remediated promptly to mitigate exploitation risks.

References