Security Flaw in CRMEB Affecting JWT HMAC Secret Handler
CVE-2025-11290

6.3MEDIUM

Key Information:

Vendor

CRMEB

Status
Crmeb
Vendor
CVE Published:
5 October 2025

What is CVE-2025-11290?

A security flaw in CRMEB up to version 5.6.1 allows manipulation of the JWT HMAC Secret Handler's argument 'secret' with the input 'default', leading to the use of a hard-coded cryptographic key. This vulnerability enables remote attackers to exploit the system, although the complexity of the attack is high. It is important to note that an exploit is publicly available, and the vendor has not responded to early disclosures regarding this issue. Organizations using affected versions should take immediate steps to mitigate potential risks associated with this vulnerability.

Affected Version(s)

CRMEB 5.6.0

CRMEB 5.6.1

References

https://vuldb.com/?id.327171
vdb-entrytechnical-description
https://vuldb.com/?ctiid.327171
signaturepermissions-required
https://vuldb.com/?submit.659843
third-party-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

BlackSpdier (VulDB User)
JSON
.
CVE-2025-11290 : Security Flaw in CRMEB Affecting JWT HMAC Secret Handler