CVE-2025-56749
Published: 15 October 2025
Description
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Security Summary
CVE-2025-56749, published on 2025-10-15, affects Creativeitem Academy LMS versions up to and including 6.14. The vulnerability involves the use of a hardcoded default JWT secret for token signing, which is predictable and enables attackers to forge valid JWT tokens. This flaw, mapped to CWE-798 (Use of Hard-coded Credentials), carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), highlighting its critical impact on confidentiality, integrity, and limited availability.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By leveraging the known JWT secret, they can craft arbitrary tokens to bypass authentication, resulting in unauthorized access to any user account within the LMS.
Advisories and mitigation details are provided in the referenced source at https://suryadina.com/academy-lms-jwt-secret-7k9m2x4p8q/, which security practitioners should review for patching recommendations and remediation steps.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Hardcoded predictable JWT secret enables remote unauthenticated attackers to forge authentication tokens, directly facilitating exploitation of a public-facing web application (T1190) and forging web credentials such as tokens (T1606).