CVE-2025-11899 CRITICAL

CVE-2025-11899: Flowring Technology|Agentflow - Use of Hard-coded Cryptographic Key

Vendor Flowring Technology
Product Agentflow
Weakness CWE-321
Published October 17, 2025
Last update October 17, 2025

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into the system as any user. Attacker must first obtain an user ID in order to exploit this vulnerability.

Key dates

02Disclosure timeline

October 17, 2025 CVE published
October 17, 2025 Record updated