CVE-2025-15105 – This vulnerability in getmaxun maxun up to vers... (How to Fix)

Q: What is the severity of CVE-2025-15105?

CVE-2025-15105 has a CVSS score of 3.7 (LOW). This vulnerability in getmaxun maxun up to version 0.0.28 involves the use of hard-coded cryptographic keys in the authentication API, allowing attackers to potentially bypass authentication or decrypt sensitive data. Remote exploitation is possible but requires high complexity. All systems running affected versions are vulnerable.

📋 TL;DR

This vulnerability in getmaxun maxun up to version 0.0.28 involves the use of hard-coded cryptographic keys in the authentication API, allowing attackers to potentially bypass authentication or decrypt sensitive data. Remote exploitation is possible but requires high complexity. All systems running affected versions are vulnerable.

💻 Affected Systems

Products:

getmaxun maxun

Versions: up to 0.0.28

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the authentication route in the server component.

📦 What is this software?

Maxun by Maxun

View all CVEs affecting Maxun →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass leading to unauthorized access to sensitive data and administrative functions.

🟠

Likely Case

Limited information disclosure or authentication bypass requiring specific conditions to be met.

🟢

If Mitigated

No impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploit requires manipulation of api_key parameter and knowledge of the hard-coded key.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

1. Monitor vendor for security updates. 2. Consider upgrading to any version above 0.0.28 if available. 3. Restart service after applying any updates.

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Temporarily disable or restrict access to the /auth route containing the vulnerability

# Configure web server or firewall to block /auth routes
# Example for nginx: location /auth { deny all; }

Implement API key validation

all

Add validation to reject api_key parameters that match known hard-coded patterns

# Add validation in auth.ts to check api_key against known vulnerable patterns

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Deploy web application firewall with rules to detect api_key manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check if running getmaxun maxun version 0.0.28 or earlier and inspect auth.ts for hard-coded cryptographic keys

Check Version:

Check package.json or application configuration for version information

Verify Fix Applied:

Verify version is above 0.0.28 and auth.ts no longer contains hard-coded cryptographic keys

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts with manipulated api_key parameters
Failed authentication attempts with specific patterns

Network Indicators:

Unusual traffic to /auth endpoints
Requests with suspicious api_key parameters

SIEM Query:

source="web_logs" AND uri_path="/auth" AND (api_key="*hardcoded*" OR api_key="*suspicious*")

📊 Metadata

CVE ID: CVE-2025-15105

CVSS v3 Score: 3.7 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-320

EPSS Score: 0.05% exploit probability (15.6th percentile)

Published: December 27, 2025

Last Updated: December 31, 2025

🔗 References

https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.338476 Permissions Required,VDB Entry
https://vuldb.com/?id.338476 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.710256 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15105, you might also want to check these: