VYPR

CWE-321

Use of Hard-coded Cryptographic Key

VariantDraftLikelihood: High

Description

The product uses a hard-coded, unchangeable cryptographic key.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (146)

page 2 of 8
  • CVE-2017-7574CriApr 6, 2017
    risk 0.64cvss 9.8epss 0.01

    Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3 devices have a hardcoded-key vulnerability. The Project Protection feature is used to prevent unauthorized users from opening an XML protected project file, by prompting the user for a…

  • CVE-2026-46395CriJun 5, 2026
    risk 0.60cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the…

  • CVE-2026-50091CriJun 12, 2026
    risk 0.59cvss 9.1epss 0.00

    Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimated CVSS of…

  • CVE-2026-31986CriMay 19, 2026
    risk 0.59cvss 9.1epss 0.00

    Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

  • CVE-2025-30095CriMar 31, 2025
    risk 0.59cvss 9.0epss 0.00

    VyOS 1.3 through 1.5 (fixed in 1.4.2) or any Debian-based system using dropbear in combination with live-build has the same Dropbear private host keys across different installations. Thus, an attacker can conduct active man-in-the-middle attacks against SSH connections if…

  • CVE-2019-19753CriApr 30, 2024
    risk 0.59cvss 9.1epss 0.00

    SimpleMiningOS through v1259 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: the vendor indicated that they have no plans to fix this, and…

  • CVE-2026-45433HigJun 4, 2026
    risk 0.57cvss epss 0.00

    This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware. A remote attacker could exploit this vulnerability by extracting the cryptographic private key from the firmware, which could lead to decryption of…

  • CVE-2026-42518HigApr 29, 2026
    risk 0.57cvss epss 0.00

    This vulnerability exists in e-Sushrut due to disclosure of sensitive information and hardcoded AES encryption keys in client-side JavaScript. An unauthenticated remote attacker could exploit this vulnerability by accessing the client-side code to extract sensitive information…

  • CVE-2025-30206CriApr 15, 2025
    risk 0.57cvss 9.8epss 0.01

    Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw…

  • CVE-2022-0664CriFeb 18, 2022
    risk 0.57cvss 9.8epss 0.02

    Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1.

  • CVE-2026-33362HigMay 11, 2026
    risk 0.56cvss 8.6epss 0.00

    In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service…

  • CVE-2026-11347HigJun 5, 2026
    risk 0.55cvss epss 0.00

    The linqi application contains hardcoded cryptographic keys. Additionally, the application uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption, making known-plaintext attacks feasible. An attacker with…

  • CVE-2025-40946HigMay 12, 2026
    risk 0.54cvss 8.3epss 0.00

    A vulnerability has been identified in blueplanet 100 NX3 M8 (All versions), blueplanet 100 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 105 TL3 (All versions), blueplanet 105 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 110 TL3 (All versions), blueplanet 125 NX3 M10 (All…

  • CVE-2025-30234HigMar 19, 2025
    risk 0.54cvss 8.3epss 0.00

    SmartOS, as used in Triton Data Center and other products, has static host SSH keys in the 60f76fd2-143f-4f57-819b-1ae32684e81b image (a Debian 12 LX zone image from 2024-07-26).

  • CVE-2026-24218HigMay 20, 2026
    risk 0.53cvss 8.1epss 0.01

    NVIDIA DGX OS contains a vulnerability in the factory provisioning process, where the cloning of a base image causes identical SSH host keys to be deployed across multiple systems. The sharing of cryptographic identifiers across all similarly provisioned systems enables host…

  • CVE-2015-10148HigApr 3, 2026
    risk 0.53cvss 8.2epss 0.00

    Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated remote attackers to decrypt or intercept encrypted management communications.…

  • CVE-2025-11899HigOct 17, 2025
    risk 0.53cvss 8.1epss 0.01

    Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into the system as any user. Attacker must first obtain an user ID…

  • CVE-2024-30407HigApr 12, 2024
    risk 0.53cvss 8.1epss 0.01

    The Use of a Hard-coded Cryptographic Key vulnerability in Juniper Networks Juniper Cloud Native Router (JCNR) and containerized routing Protocol Deamon (cRPD) products allows an attacker to perform Person-in-the-Middle (PitM) attacks which results in complete compromise of…

  • CVE-2026-47410criMay 29, 2026
    risk 0.52cvss epss 0.00

    ## Summary **Type:** Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal `"dev-secret-change-me"` when `PLATFORM_JWT_SECRET` is unset. A safety check exists but only fires when `PLATFORM_ENV != "dev"`; the default value of `PLATFORM_ENV`…

  • CVE-2026-5426CriApr 16, 2026
    risk 0.52cvss 9.1epss 0.01

    Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks