{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-11290","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2025-10-04T18:30:50.805Z","datePublished":"2025-10-05T11:32:04.828Z","dateUpdated":"2026-02-24T06:41:12.724Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2026-02-24T06:41:12.724Z"},"title":"CRMEB JWT HMAC Secret hard-coded key","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-321","lang":"en","description":"Use of Hard-coded Cryptographic Key"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-320","lang":"en","description":"Key Management Error"}]}],"affected":[{"vendor":"n/a","product":"CRMEB","versions":[{"version":"5.6.0","status":"affected"},{"version":"5.6.1","status":"affected"}],"cpes":["cpe:2.3:a:crmeb:crmeb:*:*:*:*:*:*:*:*"],"modules":["JWT HMAC Secret Handler"]}],"descriptions":[{"lang":"en","value":"A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key\r . It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":6.3,"vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":5.6,"vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":5.1,"vectorString":"AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}],"timeline":[{"time":"2025-10-04T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2025-10-04T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2025-10-07T22:25:50.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"BlackSpdier (VulDB User)","type":"reporter"},{"lang":"en","value":"VulDB","type":"coordinator"}],"references":[{"url":"https://vuldb.com/?id.327171","name":"VDB-327171 | CRMEB JWT HMAC Secret hard-coded key","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.327171","name":"VDB-327171 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/?submit.659843","name":"Submit #659843 | CRMeB  v5.6.1 Use of hard-coded / weak cryptographic key (CWE-321 / CWE-798) —","tags":["third-party-advisory"]}]},"adp":[{"references":[{"url":"https://vuldb.com/?submit.659843","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-10-07T13:37:44.480253Z","id":"CVE-2025-11290","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-07T13:37:49.947Z"}}]}}