CVE-2025-26340
Published: 12 February 2025
Description
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Security Summary
CVE-2025-26340 is a CWE-321 vulnerability involving the use of a hard-coded cryptographic key in the JSON Web Token (JWT) signing mechanism of Q-Free MaxTime versions less than or equal to 2.11.0. This flaw affects the authentication process, enabling attackers to forge valid JWTs due to the static key, which undermines the integrity of signed tokens.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity, requiring user interaction such as clicking a crafted link or opening a malicious request. Successful exploitation allows bypassing authentication entirely, granting high-impact access to confidential data (C:H), modification of system integrity (I:H), and potential disruption of availability (A:H), as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
For mitigation details, refer to the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26340, which was released alongside the CVE publication on 2025-02-12.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The hard-coded JWT signing key enables unauthenticated remote attackers to craft forged authentication tokens via HTTP requests, facilitating exploitation of the public-facing management web application (T1190) and forging web credentials (T1606).