CVE-2025-11290
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11290
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
crmeb crmeb to 5.6.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
CWE-320 Key Management Errors
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in CRMEB up to version 5.6.1 involves the JWT HMAC Secret Handler component using a hard-coded cryptographic key with the default value "default". This predictable secret allows attackers to forge valid JWT tokens, bypass authentication, escalate privileges, and gain unauthorized access to protected resources. The vulnerability can be exploited remotely without authentication, although the exploit is considered difficult. The vendor did not respond to the disclosure, and no known mitigations currently exist. [1, 2]

Impact Analysis

Exploitation of this vulnerability allows an attacker to impersonate any user, including administrators, by forging JWT tokens signed with the known default secret. This leads to full authentication bypass, privilege escalation, unauthorized access to protected APIs, and potential exposure or exfiltration of sensitive business data. The impact affects confidentiality, integrity, and availability of the system's data and services. [1, 2]

Detection Guidance

This vulnerability can be detected by inspecting JWT tokens used by the CRMEB application to see if they are signed with the default hard-coded secret "default." One approach is to capture JWT tokens from network traffic or application logs and attempt to verify or forge tokens using the secret "default." For example, you can extract JWT tokens from HTTP Authorization headers and decode them to check the issuer claim (e.g., "v5.crmeb.net"). Then, using tools like jwt.io or jwt-cli, attempt to verify or forge tokens with the secret "default." Commands might include: 1) Using curl or a proxy to capture tokens from requests, 2) Using jwt-cli or similar tools to decode and verify tokens, e.g., `jwt decode <token>`, `jwt verify <token> -s default`, or 3) Attempting to forge a token with elevated claims signed with "default" and testing access to protected endpoints. This confirms if the system is vulnerable to token forgery due to the hard-coded secret. [2]

Mitigation Strategies

Immediate mitigation steps include removing the hard-coded weak JWT secret and replacing it with a strong, randomly generated secret during installation or configuration. Administrators should be required to set and rotate the JWT secret regularly. Additionally, invalidate all tokens signed with the default secret "default" to prevent unauthorized access. If possible, replace the affected CRMEB version with a patched or alternative product that does not use the default secret. Since no official vendor response or patch is available, these steps are critical to reduce risk. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11290. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart