CVE-2025-54137 is a high-severity vulnerability affecting haxtheweb's HAX CMS NodeJS backend, specifically versions 11.0.9 and earlier. The core issue is the presence of hardcoded default credentials for both user and superuser accounts, as well as default private keys used for JWT (JSON Web Token) authentication. These credentials and keys are publicly accessible in the haxtheweb GitHub repositories, allowing unauthenticated attackers to retrieve them easily. Since the application neither prompts users to change these credentials during installation nor provides a UI mechanism to modify them afterward, any self-hosted instance that remains unconfigured is vulnerable to unauthorized access. Exploitation enables attackers to log in without authentication, modify microsite content, and potentially launch further attacks leveraging the compromised instance. The vulnerability is classified under CWE-1392 (Use of Default Credentials), highlighting the risk of embedded secrets that are not changed by users. The CVSS v3.1 score of 7.3 reflects a high impact with network attack vector, no privileges or user interaction required, and partial impact on confidentiality, integrity, and availability. The vulnerability was publicly disclosed on July 22, 2025, and fixed in version 11.0.10 of the software. No known exploits are currently reported in the wild, but the ease of exploitation and public availability of credentials make this a significant risk for unpatched deployments.

For European organizations using haxtheweb's HAX CMS NodeJS backend, this vulnerability poses a substantial risk. Unauthorized access to unconfigured instances can lead to content tampering, defacement, or insertion of malicious code, potentially damaging brand reputation and user trust. Attackers could leverage compromised microsites as footholds for lateral movement within internal networks or to distribute malware to visitors. Confidential information managed via these microsites could be exposed or altered, impacting data integrity and confidentiality. Given the lack of authentication barriers and the public availability of credentials, even low-skilled attackers can exploit this vulnerability remotely. This risk is amplified in sectors where microsites are used for critical communications or customer interactions, such as government, finance, or healthcare organizations in Europe. Additionally, compromised microsites could be used to conduct phishing or social engineering campaigns targeting European users, increasing the threat landscape. The vulnerability's network-based attack vector and no requirement for user interaction mean that automated scanning and exploitation tools could rapidly identify and compromise vulnerable instances, leading to widespread impact if not mitigated promptly.

European organizations should immediately upgrade all haxtheweb HAX CMS NodeJS instances to version 11.0.10 or later, where the default credentials and JWT keys issue is resolved. For existing deployments, administrators must verify that no instances remain running with default credentials or unmodified JWT keys. If upgrading is not immediately feasible, organizations should manually change credentials and JWT secrets by directly modifying configuration files or environment variables, even if this requires custom intervention beyond the UI. Network-level protections such as firewall rules should restrict access to the management interfaces of these microsites to trusted IP ranges only. Continuous monitoring and auditing of access logs should be implemented to detect unauthorized login attempts or suspicious activities. Organizations should also scan their public GitHub repositories and internal codebases to ensure no default credentials or private keys are inadvertently exposed. Finally, security awareness training should emphasize the risks of default credentials and the importance of secure configuration management to prevent similar issues.