← voltar
CVE-2025-41702

egOS WebGUI Hard-Coded JWT Secret Enables Authentication Bypass

CVSS 9.8 CRITICALEPSS 0.5%CWE-321
The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
Welotec · EG400Mk2-D11001-000101Welotec · EG400Mk2-D11101-000101Welotec · EG500Mk2-A11001-000101Welotec · EG500Mk2-A11001-000201Welotec · EG500Mk2-A11101-000101Welotec · EG500Mk2-A12011-000101Welotec · EG500Mk2-A21101-000101Welotec · EG500Mk2-B11001-000101Welotec · EG500Mk2-B11101-000101Welotec · EG500Mk2-C11001-000101Welotec · EG500Mk2-C11101-000101Welotec · EG503LWelotec · EG503L_4GBWelotec · EG503L-GWelotec · EG503WWelotec · EG503W_4GBWelotec · EG602LWelotec · EG602WWelotec · EG603L Mk2Welotec · EG603W Mk2Welotec · EG802WWelotec · EG802W_i7_512GB_DinRailWelotec · EG802W_i7_512GB_w/o DinRailWelotec · EG804WWelotec · EG804W Pro

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://certvde.com/de/advisories/VDE-2025-076