A critical vulnerability has been identified in multiple JSON Web Token (JWT) authentication systems that allows a remote, unauthenticated attacker to gain complete administrative access. This issue stems from the use of default, publicly known security certificates, enabling attackers to forge valid access tokens and bypass all authentication measures. Successful exploitation results in a total compromise of the affected application and any connected systems or devices.

This vulnerability occurs when a system uses a default, hard-coded, or publicly known certificate/secret key to sign and verify JWTs. An attacker can obtain this default key and use it to craft a malicious JWT, embedding arbitrary claims such as {"user": "admin", "role": "administrator"}. When this forged token is presented to the vulnerable application, the application will use its own copy of the default key to validate the signature. Since the keys match, the signature is deemed valid, and the application grants the attacker the privileges specified in the forged token, leading to a complete authentication bypass and system takeover.

This vulnerability is rated as critical severity with a CVSS score of 10, representing a complete failure of the authentication security control. Exploitation can lead to a full compromise of the application's confidentiality, integrity, and availability. An attacker could exfiltrate sensitive user data, modify or delete critical information, disrupt business operations, and use the compromised system as a pivot point to attack other internal network resources. The financial and reputational damage from such a breach could be catastrophic.

Immediate Action: Immediately identify all applications utilizing JWT-based authentication and audit their configurations. Replace any default, weak, or shared signing certificates/secrets with cryptographically secure, unique keys for each application instance. Ensure that the JWT validation logic is properly implemented to check not only the signature but also critical claims like the issuer (iss) and audience (aud) to prevent token misuse across different services.

Proactive Monitoring: Monitor authentication logs for unusual patterns, such as a high volume of successful logins from unexpected IP addresses, logins for privileged accounts outside of business hours, or the appearance of tokens with unexpected claims. Configure security information and event management (SIEM) systems to alert on any JWT validation failures or successes that correlate with known indicators of compromise. Network monitoring should be used to detect anomalous outbound traffic from application servers, which could indicate data exfiltration.

Compensating Controls: If patching is not immediately feasible, implement strict network access controls to limit exposure of the authentication endpoint to the public internet. Use a Web Application Firewall (WAF) to filter requests and potentially block malformed or suspicious-looking JWTs. Enforce strict network segmentation to contain any potential breach and prevent lateral movement from the compromised application server to other critical systems.

Public Exploit Available: false

Given the critical CVSS score of 10 and the ease of exploitation, this vulnerability poses an immediate and severe risk to the organization. We strongly recommend that all system owners immediately initiate the Immediate Action steps outlined in the remediation plan. All JWT-based systems must be audited and patched with the highest priority. Although this CVE is not yet on the CISA KEV list, its characteristics make it a prime candidate for future inclusion, and organizations should treat it with the urgency of an actively exploited threat.