CRMEB CVE-2025-11290

Q: What is the CVSS score of CVE-2025-11290?

CVE-2025-11290 has a CVSS 4.0 base score of 2.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Key Management Errors (CWE-320)

2025-10-05 cna@vuldb.com

Information Disclosure Crmeb

2.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.9 LOW

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:51 vuln.today

DescriptionCVE.org

A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

CRMEB up to version 5.6.1 uses a hard-coded cryptographic key in its JWT HMAC Secret Handler when the secret argument defaults to a known value, allowing remote attackers to forge JWT tokens and bypass authentication. Despite a low CVSS score of 2.9 reflecting high attack complexity, public exploit code exists and the vendor has not responded to disclosure. The practical impact depends on how JWT validation is implemented in the application stack.

Technical ContextAI

CRMEB's JWT (JSON Web Token) HMAC authentication mechanism relies on a shared secret for signing and verifying tokens. When the secret parameter defaults to a hardcoded or easily-guessable value (described as 'default'), attackers can compute valid HMAC signatures without knowledge of a supposedly-secret key. This violates CWE-320 (Improper Use of Cryptographic Key) - a key management flaw where cryptographic operations depend on secrets that are not properly protected. The CVSS vector AV:N/AC:H indicates network-based but high-complexity exploitation, suggesting attackers must overcome non-trivial obstacles (possibly discovering the exact default value or specific invocation path) before token forgery becomes practical.

RemediationAI

Primary remediation is to upgrade CRMEB to a version beyond 5.6.1 once available; however, no patched version is currently confirmed. Immediate compensating controls: (1) Change the JWT secret from any default value to a strong, randomly-generated key of at least 256 bits, ensuring it is not hard-coded in source or configuration files; (2) Rotate all existing JWT tokens and force users to re-authenticate; (3) Implement JWT token expiration with short lifespans (e.g., 15-30 minutes) to limit the window for forged token exploitation; (4) Monitor JWT validation failures and authentication anomalies for signs of forged tokens; (5) If JWT endpoints are not required for your deployment, disable JWT authentication temporarily and use session-based auth or API keys with secure rotation. Consult the CRMEB project (https://vuldb.com/?ctiid.327171) for official patch or mitigation guidance once available.

CVE-2025-11290 vulnerability details – vuln.today

Back