How severe is CVE-2025-30206?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2025-30206?

This is classified as CWE-321, which is a common weakness in software security.

CVE-2025-30206 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. This issue is patched in version 1.6.1. A workaround for this vulnerability involves replacing the hardcoded secret with a securely generated value and load it from secure configuration storage.

Related Vulnerabilities

CVE-2016-4437

CRITICAL

CVSS:9.8(Critical)

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unsp...

CWE-3212016

CVE-2017-14021

CRITICAL

CVSS:9.8(Critical)

A Use of Hard-coded Cryptographic Key issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G v...

CWE-3212017

CVE-2018-0040

CRITICAL

CVSS:9.8(Critical)

Juniper Networks Contrail Service Orchestrator versions prior to 4.0.0 use hardcoded cryptographic certificates and keys in some cases, which may allow network based attackers to gain unauthorized acc...

CWE-3212018

CVE-2019-19750

CRITICAL

CVSS:9.8(Critical)

minerstat msOS before 2019-10-23 does not have a unique SSH key for each instance of the product.

CWE-3212019

CVE-2019-19752

CRITICAL

CVSS:9.8(Critical)

nvOC through 3.2 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as o...

CWE-3212019

CVE-2020-6990

CRITICAL

CVSS:9.8(Critical)

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic ...

CWE-3212020