CWE-1394
Use of Default Cryptographic Key
BaseIncomplete
Description
The product uses a default cryptographic key for potentially critical functionality.
It is common practice for products to be designed to use
default keys. The rationale is to simplify the manufacturing
process or the system administrator's task of installation and
deployment into an enterprise. However, if admins do not
change the defaults, it is easier for attackers to bypass
authentication quickly across multiple organizations.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (8)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-48956 | Cri | 0.65 | 9.8 | 0.12 | Dec 9, 2024 | Serviceware Processes 6.0 through 7.3 before 7.4 allows attackers without valid authentication to send a specially crafted HTTP request to a service endpoint resulting in remote code execution. | |
| CVE-2025-55049 | Cri | 0.59 | 9.1 | 0.00 | Sep 9, 2025 | Use of Default Cryptographic Key (CWE-1394) | |
| CVE-2024-1275 | Cri | 0.59 | — | 0.00 | May 31, 2024 | Use of Default Cryptographic Key vulnerability in Baxter Welch Allyn Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Allyn Connex Spot Monitor in all versions prior to 1.52. | |
| CVE-2026-5039 | Hig | 0.57 | 8.8 | 0.00 | Apr 23, 2026 | TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized access to the protocol, read debug data, modify certain device configuration values, and trigger device reboot, resulting in loss of integrity and a denial-of-service condition. | |
| CVE-2026-20709 | Med | 0.43 | 6.6 | 0.00 | Apr 8, 2026 | Use of Default Cryptographic Key in the hardware for some Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an escalation of privilege. Hardware reverse engineer adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via physical access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (none) impacts. | |
| CVE-2025-1688 | Med | 0.36 | 5.5 | 0.00 | Apr 15, 2025 | Milestone Systems has discovered a security vulnerability in Milestone XProtect installer that resets system configuration password after the upgrading from older versions using specific installers. The system configuration password is an additional, optional protection that is enabled on the Management Server. To mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure. Any system upgraded with 2024 R1 or 2024 R2 release installer is vulnerable to this issue. Systems upgraded from 2023 R3 or older with version 2025 R1 and newer are not affected. | |
| CVE-2026-2215 | Low | 0.24 | 3.7 | 0.00 | Feb 9, 2026 | A vulnerability was detected in rachelos WeRSS we-mp-rss up to 1.4.8. This issue affects some unknown processing of the file core/auth.py of the component JWT Handler. Performing a manipulation of the argument SECRET_KEY results in use of default cryptographic key. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit is now public and may be used. | |
| CVE-2026-25815 | Low | 0.21 | 3.2 | 0.00 | Feb 5, 2026 | Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers' installations). NOTE: the Supplier's position is that the instance of CWE-1394 is not a vulnerability because customers "are supposed to enable" a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the "Managing FortiGates with private data encryption" document, and is therefore intentionally not a default option. |