VYPR

CWE-321

Use of Hard-coded Cryptographic Key

VariantDraftLikelihood: High

Description

The product uses a hard-coded, unchangeable cryptographic key.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (146)

page 3 of 8
  • CVE-2026-6787HigMay 6, 2026
    risk 0.51cvss 7.8epss 0.00

    Use of Hard-coded Cryptographic Key vulnerability in WatchGuard Agent on Windows allows Inclusion of Code in Existing Process.This issue affects WatchGuard Agent: before 1.25.03.0000.

  • CVE-2026-45041HigMay 28, 2026
    risk 0.50cvss epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to "verify" license tokens. Because the key…

  • CVE-2026-32324HigApr 17, 2026
    risk 0.50cvss 7.7epss 0.00

    Anviz CX7 Firmware is  vulnerable because the application embeds reusable certificate/key material, enabling decryption of MQTT traffic and potential interaction with device messaging channels at scale.

  • CVE-2025-46582HigOct 27, 2025
    risk 0.50cvss 7.7epss 0.00

    A private key disclosure vulnerability exists in ZTE's ZXMP M721 product. A low-privileged user can bypass authorization checks to view the device's communication private key, resulting in key exposure and impacting communication security.

  • CVE-2024-56429HigMay 21, 2025
    risk 0.50cvss 7.7epss 0.00

    itech iLabClient 3.7.1 relies on the hard-coded YngAYdgAE/kKZYu2F2wm6w== key (found in iLabClient.jar) for local users to read or write to the database.

  • CVE-2025-24525HigSep 30, 2025
    risk 0.49cvss 7.5epss 0.00

    Keysight Ixia Vision has an issue with hardcoded cryptographic material which may allow an attacker to intercept or decrypt payloads sent to the device via API calls or user authentication if the end user does not replace the TLS certificate that shipped with the device.…

  • CVE-2017-6054HigApr 26, 2017
    risk 0.49cvss 7.5epss 0.02

    A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. The application uses a hard-coded decryption password to protect sensitive user information.

  • CVE-2026-6580HigApr 19, 2026
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in liangliangyy DjangoBlog up to 2.1.0.0. Affected is an unknown function of the file owntracks/views.py of the component Amap API Call Handler. Such manipulation of the argument key leads to use of hard-coded cryptographic key . The…

  • CVE-2025-15605HigMar 23, 2026
    risk 0.47cvss 7.3epss 0.00

    A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them, and re-encrypt them,…

  • CVE-2026-34022HigJun 15, 2026
    risk 0.46cvss epss 0.00

    The Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319, uses weak custom cryptographic algorithms with hard-coded cryptographic keys to protect communication. An attacker in an adversary-in-the-middle position can decrypt the data traffic.…

  • CVE-2025-34500HigOct 24, 2025
    risk 0.46cvss epss 0.00

    Deck Mate 2's firmware update mechanism accepts packages without cryptographic signature verification, encrypts them with a single hard-coded AES key shared across devices, and uses a truncated HMAC for integrity validation. Attackers with access to the update interface -…

  • CVE-2025-1099HigFeb 10, 2025
    risk 0.46cvss epss 0.00

    This vulnerability exists in Tapo C500 Wi-Fi camera due to hard-coded RSA private key embedded within the device firmware. An attacker with physical access could exploit this vulnerability to obtain cryptographic private keys which can then be used to perform impersonation, data…

  • CVE-2018-10896HigAug 1, 2018
    risk 0.46cvss 7.1epss 0.00

    The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys,…

  • CVE-2026-34029MedJun 15, 2026
    risk 0.44cvss epss 0.00

    The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a hard-coded cryptographic key in the SafeSystem.Infrastructure.Security.dll component. An attacker with access to the application files can reverse engineer the DLL and recover the hard-coded…

  • CVE-2026-25107MedMay 13, 2026
    risk 0.42cvss 6.5epss 0.00

    ELECOM wireless LAN access point devices use a hard-coded cryptographic key when creating backups of configuration files. An attacker who knows the encryption key can tamper the configuration file of the product, and a victim administrator may be tricked to use a crafted…

  • CVE-2026-32958MedApr 20, 2026
    risk 0.42cvss 6.5epss 0.00

    SD-330AC and AMC Manager provided by silex technology, Inc. use a hard-coded cryptographic key. An administrative user may be directed to apply a fake firmware update.

  • CVE-2026-33266HigApr 9, 2026
    risk 0.42cvss 7.5epss 0.00

    Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen…

  • CVE-2025-6074MedJul 3, 2025
    risk 0.42cvss 6.5epss 0.00

    Use of Hard-coded Cryptographic Key vulnerability in ABB RMC-100, ABB RMC-100 LITE. When the REST interface is enabled by the user, and an attacker gains access to source code and control network, the attacker can bypass the REST interface authentication and gain access to…

  • CVE-2025-48417MedMay 21, 2025
    risk 0.42cvss 6.5epss 0.00

    The certificate and private key used for providing transport layer security for connections to the web interface (TCP port 443) is hard-coded in the firmware and are shipped with the update files. An attacker can use the private key to perform man-in-the-middle attacks against…

  • CVE-2024-41260HigAug 1, 2024
    risk 0.42cvss 7.5epss 0.00

    A static initialization vector (IV) in the encrypt function of netbird management's service from v0.23.2 to v0.29.1 allows attackers to obtain sensitive information (email addresses) when in possession of the audit events database.