VYPR

CWE-321

Use of Hard-coded Cryptographic Key

VariantDraftLikelihood: High

Description

The product uses a hard-coded, unchangeable cryptographic key.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (146)

page 1 of 8
  • CVE-2016-4437CriKEVJun 7, 2016
    risk 0.79cvss 9.8epss 0.93

    Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

  • CVE-2025-57174CriSep 15, 2025
    risk 0.67cvss 9.8epss 0.01

    An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other previous versions. The rfpiped service listening on TCP port 555 which uses static AES encryption keys hardcoded in the binary. These keys are…

  • CVE-2024-30207CriMay 14, 2024
    risk 0.65cvss 10.0epss 0.01

    A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating…

  • CVE-2016-9335CriMay 9, 2018
    risk 0.65cvss 10.0epss 0.02

    A hard-coded cryptographic key vulnerability was identified in Red Lion Controls Sixnet-Managed Industrial Switches running firmware Version 5.0.196 and Stride-Managed Ethernet Switches running firmware Version 5.0.190. Vulnerable versions of Stride-Managed Ethernet switches and…

  • CVE-2026-28742CriJun 12, 2026
    risk 0.64cvss 9.8epss 0.00

    Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence…

  • CVE-2026-32644CriApr 28, 2026
    risk 0.64cvss 9.8epss 0.00

    Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys.

  • CVE-2025-67305CriFeb 19, 2026
    risk 0.64cvss 9.8epss 0.00

    In RUCKUS Network Director (RND) < 4.5.0.56, the OVA appliance contains hardcoded SSH keys for the postgres user. These keys are identical across all deployments, allowing an attacker with network access to authenticate via SSH without a password. Once authenticated, the…

  • CVE-2026-22906CriFeb 9, 2026
    risk 0.64cvss 9.8epss 0.00

    User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.

  • CVE-2026-22586CriJan 24, 2026
    risk 0.64cvss 9.8epss 0.01

    Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud…

  • CVE-2025-62581CriJan 16, 2026
    risk 0.64cvss 9.8epss 0.01

    Delta Electronics DIAView has multiple vulnerabilities.

  • CVE-2025-34256CriDec 5, 2025
    risk 0.64cvss 9.8epss 0.01

    Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email…

  • CVE-2025-8625CriSep 30, 2025
    risk 0.64cvss 9.8epss 0.01

    The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key when no secret is defined and does not restrict which file types can be fetched…

  • CVE-2025-54807CriSep 18, 2025
    risk 0.64cvss 9.8epss 0.01

    The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the signing key can bypass authentication, gaining complete access to the system.

  • CVE-2025-41702CriAug 26, 2025
    risk 0.64cvss 9.8epss 0.00

    The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key.

  • CVE-2024-35344CriMay 28, 2024
    risk 0.64cvss 9.9epss 0.00

    Certain Anpviz products contain a hardcoded cryptographic key stored in the firmware of the device. This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-D350, IPC-D3150, IPC-D4250, IPC-D380, IPC-D880, IPC-D280, IPC-D3180, MC800N, YM500L, YM800N_N2, YMF50B, YM800SV2, YM500L8,…

  • CVE-2019-19752CriApr 30, 2024
    risk 0.64cvss 9.8epss 0.01

    nvOC through 3.2 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as of 2019-12-01, the vendor indicated plans to fix this in the next image build.

  • CVE-2023-3632CriAug 9, 2023
    risk 0.64cvss 9.8epss 0.01

    Use of Hard-coded Cryptographic Key vulnerability in Sifir Bes Education and Informatics Kunduz - Homework Helper App allows Authentication Abuse, Authentication Bypass. This issue affects Kunduz - Homework Helper App: before 6.2.3.

  • CVE-2020-6990CriMar 16, 2020
    risk 0.64cvss 9.8epss 0.04

    Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the…

  • CVE-2018-0040CriJul 11, 2018
    risk 0.64cvss 9.8epss 0.01

    Juniper Networks Contrail Service Orchestrator versions prior to 4.0.0 use hardcoded cryptographic certificates and keys in some cases, which may allow network based attackers to gain unauthorized access to services.

  • CVE-2017-14021CriNov 1, 2017
    risk 0.64cvss 9.8epss 0.02

    A Use of Hard-coded Cryptographic Key issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G version 1.4, JetNet5728G-24P version 1.4, JetNet5828G version 1.1d,…