A critical vulnerability exists in Creativeitem Academy LMS products that allows an attacker to completely bypass authentication. The software uses a predictable, hardcoded secret key to secure user sessions, enabling malicious actors to forge valid access tokens for any user, including administrators. Successful exploitation could lead to a full system compromise, resulting in data theft, system disruption, and significant reputational damage.

The application utilizes a static, hardcoded secret key for signing JSON Web Tokens (JWTs). Because this secret is the same across all installations, an attacker can obtain it by analyzing the application's source code. With this secret, an attacker can craft a malicious JWT, embedding arbitrary user details and administrative privileges within the token's payload. When this forged token is presented to the application, it is accepted as valid, granting the attacker complete, unauthorized access and control over the system.

This vulnerability is rated as critical severity with a CVSS score of 9.4, reflecting the high potential for significant business disruption. An attacker can gain full administrative privileges, leading to severe consequences such as the unauthorized access, modification, or exfiltration of sensitive data, including student personally identifiable information (PII), course content, and financial records. The attacker could also deface the platform, delete user accounts, or use the compromised system as a pivot point to launch further attacks against the organization's internal network. This could result in major data breaches, regulatory fines, loss of customer trust, and substantial reputational harm.

Immediate Action: Immediately update all instances of Creativeitem Academy LMS to the latest version provided by the vendor, which addresses this vulnerability by replacing the hardcoded secret. After patching, it is critical to review all administrative accounts for unauthorized changes and to review application access logs for any signs of suspicious authentication events that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring of application and web server logs. Specifically, look for unusual authentication patterns, such as successful administrative logins from unrecognized IP addresses, rapid session creations, or access to sensitive functions outside of normal business hours. Configure security information and event management (SIEM) alerts for JWTs with unusually long validity periods or tokens that grant elevated privileges.

Compensating Controls: If immediate patching is not feasible, implement the following temporary controls:

• Restrict access to the application's administrative dashboard to a limited set of trusted IP addresses using a Web Application Firewall (WAF) or network access control lists (ACLs).
• Place the application behind a reverse proxy or identity-aware proxy that can enforce stronger authentication policies, such as Multi-Factor Authentication (MFA).
• Isolate the application server from other critical network segments to limit the potential impact of a compromise.

Public Exploit Available: false

Given the critical severity (CVSS 9.4) and the ease of exploitation, immediate action is required. We strongly recommend that all vulnerable Creativeitem Academy LMS instances be patched immediately, prioritizing internet-facing systems. Although this CVE is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its high impact and the likelihood of future exploitation warrant treating it as an urgent threat. Organizations should assume they are being targeted and apply the recommended remediation and monitoring controls without delay.