Welotec: Hard-coded JWT secret in egOS WebGUI

VDE-2025-076

Last update

08/26/2025 09:00

Published at

08/26/2025 09:00

Vendor(s)

Welotec GmbH

External ID

VDE-2025-076

CSAF Document

Download

Summary

A hard-coded JWT secret in the egOS WebGUI backend is readable to the default user, allowing attackers to forge valid tokens and access protected API endpoints.

Impact

Affected Product(s)

Model no.	Product name	Affected versions
WEG500100210	EG400Mk2-D11001-000101	egOS v1.8.0<v1.8.2, egOS <v1.7.7
WEG500100580	EG400Mk2-D11101-000101	egOS v1.8.0<v1.8.2, egOS <v1.7.7
WEG500100170	EG500Mk2-A11001-000101	egOS <v1.7.7, egOS v1.8.0<v1.8.2
WEG500100290	EG500Mk2-A11001-000201	egOS <v1.7.7, egOS v1.8.0<v1.8.2
WEG500100160	EG500Mk2-A11101-000101	egOS v1.8.0<v1.8.2, egOS <v1.7.7
WEG500100280	EG500Mk2-A12011-000101	egOS <v1.7.7, egOS v1.8.0<v1.8.2
WEG500100650	EG500Mk2-A21101-000101	egOS <v1.7.7, egOS v1.8.0<v1.8.2
WEG500100190	EG500Mk2-B11001-000101	egOS <v1.7.7, egOS v1.8.0<v1.8.2
WEG500100180	EG500Mk2-B11101-000101	egOS <v1.7.7, egOS v1.8.0<v1.8.2
WEG500100270	EG500Mk2-C11001-000101	egOS <v1.7.7, egOS v1.8.0<v1.8.2
WEG500100260	EG500Mk2-C11101-000101	egOS <v1.7.7, egOS v1.8.0<v1.8.2
WEG500100020	EG503L	egOS v1.8.0<v1.8.2, egOS <v1.7.7
WEG500100130	EG503L-G	egOS v1.8.0<v1.8.2, egOS <v1.7.7
WEG500100040	EG503L_4GB	egOS <v1.7.7, egOS v1.8.0<v1.8.2
WEG500100010	EG503W	egOS <v1.7.7, egOS v1.8.0<v1.8.2
WEG500100030	EG503W_4GB	egOS <v1.7.7, egOS v1.8.0<v1.8.2
WEG600100020	EG602L	egOS v1.8.0<v1.8.2, egOS <v1.7.7
WEG600100010	EG602W	egOS v1.8.0<v1.8.2, egOS <v1.7.7
WEG600100150	EG603L Mk2	egOS <v1.7.7, egOS v1.8.0<v1.8.2
WEG600100140	EG603W Mk2	egOS v1.8.0<v1.8.2, egOS <v1.7.7
WEG800100010	EG802W	egOS v1.8.0<v1.8.2, egOS <v1.7.7
WEG800100040	EG802W_i7_512GB_DinRail	egOS v1.8.0<v1.8.2, egOS <v1.7.7
WEG800100050	EG802W_i7_512GB_w/o DinRail	egOS v1.8.0<v1.8.2, egOS <v1.7.7
WEG800100020	EG804W	egOS v1.8.0<v1.8.2, egOS <v1.7.7
WEG800100090	EG804W Pro	egOS <v1.7.7, egOS v1.8.0<v1.8.2

Vulnerabilities

Expand / Collapse all

Published

09/22/2025 14:57

Severity

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness

Use of Hard-coded Cryptographic Key (CWE-321)

Summary

The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key.

References

cve.org | nvd.nist.gov

Revision History

Version	Date	Summary
1.0.0	08/26/2025 09:00	initial version

Welotec: Hard-coded JWT secret in egOS WebGUI

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2025-41702 9.8

Revision History