What is the CVSS score of CVE-2025-35940?

CVE-2025-35940 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of .NET are affected by CVE-2025-35940?

CVE-2025-35940 allows unauthenticated attackers to forge valid authentication tokens and gain unauthorized access to protected ArchiverSpaApi endpoints due to a hard-coded JWT signing key.

How to fix or mitigate CVE-2025-35940?

Within 24 hours: Identify all systems running ArchiverSpaApi and isolate them from production networks or restrict access via network segmentation. Within 7 days: Implement WAF rules to detect and block suspicious JWT tokens, conduct an audit of access logs for exploitation attempts, and rotate all downstream credentials that may have been exposed. Within 30 days: Deploy a patched version when available, implement secret management practices to prevent hard-coded keys, and conduct a full security review of authentication mechanisms across all applications.

.NET CVE-2025-35940

EUVD-2025-17816 HIGH

Use of Hard-coded Credentials (CWE-798)

2025-06-10 vulnreport@tenable.com

Authentication Bypass .NET Information Disclosure

8.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17816

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

CVE Published

Jun 10, 2025 - 21:15 nvd

HIGH 8.1

DescriptionCVE.org

The ArchiverSpaApi ASP.NET application uses a hard-coded JWT signing key. An unauthenticated remote attacker can generate and use a verifiable JWT token to access protected ArchiverSpaApi URL endpoints.

AnalysisAI

Critical authentication bypass vulnerability in ArchiverSpaApi ASP.NET applications caused by hard-coded JWT signing keys. An unauthenticated remote attacker can forge valid JWT tokens to bypass authentication and gain unauthorized access to protected API endpoints, potentially leading to data exfiltration, modification, or denial of service. The CVSS 8.1 score reflects high confidentiality, integrity, and availability impact, though the attack complexity is rated as high, suggesting some technical prerequisites.

Technical ContextAI

ArchiverSpaApi is an ASP.NET web application that implements JWT (JSON Web Token) authentication for API endpoint protection. The vulnerability stems from CWE-798 (Use of Hard-Coded Credentials), where the application uses a static, non-random JWT signing key embedded in source code or configuration. JWT relies on asymmetric or symmetric cryptographic signing to ensure token authenticity and integrity. When the signing key is hard-coded and discoverable (through reverse engineering, source code exposure, or publicly documented), attackers can use standard JWT libraries to craft tokens with valid signatures that the application will trust. The ASP.NET framework's JWT validation middleware will accept these forged tokens if the signing key matches, completely bypassing role-based access control and authentication checks. CPE context indicates this affects ArchiverSpaApi deployments across ASP.NET platforms (likely CPE:2.3:a:*:archiverspaapi:*:*:*:*:*:asp.net:*:* or similar variants).

RemediationAI

IMMEDIATE: (1) Identify the hard-coded JWT signing key in ArchiverSpaApi source code, configuration files (appsettings.json, web.config), or compiled assemblies via decompilation. (2) Revoke all existing JWT tokens immediately (reduce token TTL or maintain a revocation list). (3) Generate a new, cryptographically random signing key (minimum 256 bits for HMAC-SHA256; 2048+ bits for RSA). (4) Deploy updated ArchiverSpaApi version with configurable JWT signing key sourced from secure credential store (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault). (5) Implement environment-specific key rotation. WORKAROUNDS pending patch: Restrict network access to ArchiverSpaApi via firewall/WAF, implement IP whitelisting, disable JWT endpoints if not actively used, or run behind OAuth 2.0 proxy that validates tokens independently. SHORT-TERM: Monitor for token forgery attempts (abnormal claims, unexpected issuer/audience values). LONG-TERM: Implement JWKS (JSON Web Key Set) endpoints for key distribution and establish key rotation policies. Vendor advisories should be consulted at ArchiverSpaApi publisher's security page (specific URL not provided in source data).

CVE-2025-35940 vulnerability details – vuln.today

Back

.NET CVE-2025-35940

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code