The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key.
The cryptographic key used to sign JWT tokens with the HS256 algorithm is hard-coded into the egOS WebGUI backend code and can be read by the default system user. Knowing this key, an attacker can independently create any cryptographically valid JWT tokens without possessing any credentials. The server verifies the token signature as valid, treating the request as authenticated and authorized.
An attacker gains full, unauthorized access to the WebGUI interface by bypassing authentication and authorization, which may lead to device takeover, disclosure of sensitive configuration data, and violation of system integrity and availability.
Apply patches available from the vendor according to references (https://certvde.com/de/advisories/VDE-2025-076). Until updates are applied, it is recommended to restrict network access to the WebGUI interface only to trusted hosts and monitor traffic for unauthorized requests with suspicious JWT tokens.
Products equipped with egOS WebGUI — specific versions indicated in vendor references (certvde.com, VDE-2025-076)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H