VYPR

CWE-321

Use of Hard-coded Cryptographic Key

VariantDraftLikelihood: High

Description

The product uses a hard-coded, unchangeable cryptographic key.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (146)

page 4 of 8
  • CVE-2024-33849MedMay 28, 2024
    risk 0.42cvss 6.5epss 0.00

    ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key.

  • CVE-2023-32077HigAug 24, 2023
    risk 0.42cvss 7.5epss 0.03

    Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should…

  • CVE-2019-10990MedSep 23, 2019
    risk 0.42cvss 6.5epss 0.01

    Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files.

  • CVE-2024-3109MedMay 3, 2024
    risk 0.41cvss 6.3epss 0.00

    A hard-coded AES key vulnerability was reported in the Motorola GuideMe application, along with a lack of URI sanitation, could allow for a local attacker to read arbitrary files.

  • CVE-2026-9260MedJun 16, 2026
    risk 0.40cvss 6.2epss 0.00

    Use of hard-coded cryptographic keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier

  • CVE-2025-55449HigMay 8, 2026
    risk 0.40cvss 7.3epss 0.00

    AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.

  • CVE-2022-23650HigFeb 18, 2022
    risk 0.40cvss 7.2epss 0.02

    Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know…

  • CVE-2026-39810MedApr 14, 2026
    risk 0.39cvss 6.0epss 0.00

    A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via decrypting database dump.

  • CVE-2024-47256MedFeb 6, 2025
    risk 0.39cvss 6.0epss 0.00

    Successful exploitation of this vulnerability could allow an attacker (who needs to have Admin access privileges) to read hardcoded AES passphrase, which may be used for decryption of certain data within backup files of 2N Access Commander version 1.14 and older. 2N has…

  • CVE-2024-38532HigJun 28, 2024
    risk 0.39cvss 7.1epss 0.00

    The NXP Data Co-Processor (DCP) is a built-in hardware module for specific NXP SoCs¹ that implements a dedicated AES cryptographic engine for encryption/decryption operations. The dcp_tool reference implementation included in the repository selected the test key, regardless of…

  • CVE-2018-3825MedSep 19, 2018
    risk 0.38cvss 5.9epss 0.01

    In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can…

  • CVE-2019-19754MedApr 30, 2024
    risk 0.37cvss 5.7epss 0.00

    HiveOS through 0.6-102@191212 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as of 2019-09-26, the vendor indicated that they would consider fixing…

  • CVE-2026-7306MedApr 28, 2026
    risk 0.36cvss 5.6epss 0.00

    A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the…

  • CVE-2025-13948MedDec 3, 2025
    risk 0.36cvss 5.6epss 0.00

    A vulnerability was determined in opsre go-ldap-admin up to 20251011. This issue affects some unknown processing of the file docs/docker-compose/docker-compose.yaml of the component JWT Handler. Executing manipulation of the argument secret key can lead to use of hard-coded…

  • CVE-2025-11290MedOct 5, 2025
    risk 0.36cvss 5.6epss 0.00

    A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack…

  • CVE-2025-2810MedAug 5, 2025
    risk 0.36cvss 5.5epss 0.00

    A low privileged local attacker can abuse the affected service by using a hardcoded cryptographic key.

  • CVE-2025-32730MedApr 24, 2025
    risk 0.36cvss 5.5epss 0.00

    Use of hard-coded cryptographic key vulnerability in i-PRO Configuration Tool affects the network system for i-PRO Co., Ltd. surveillance cameras and recorders. This vulnerability allows a local authenticated attacker to use the authentication information from the last connected…

  • CVE-2025-66454MedDec 2, 2025
    risk 0.35cvss 6.5epss 0.00

    Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows…

  • CVE-2025-54471MedOct 30, 2025
    risk 0.35cvss 6.5epss 0.00

    NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.

  • CVE-2024-45837MedNov 22, 2024
    risk 0.35cvss 5.4epss 0.00

    Use of hard-coded cryptographic key issue exists in AIPHONE IX SYSTEM, IXG SYSTEM, and System Support Software. A network-adjacent unauthenticated attacker may log in to SFTP service and obtain and/or manipulate unauthorized files.