CWE-321
Use of Hard-coded Cryptographic Key
VariantDraftLikelihood: High
Description
The product uses a hard-coded, unchangeable cryptographic key.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (106)
page 4 of 6| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-5527 | Med | 0.34 | 5.3 | 0.00 | Apr 5, 2026 | A weakness has been identified in Tenda 4G03 Pro 1.0/1.0re/01.bin/04.03.01.53. Affected by this issue is some unknown functionality of the file /etc/www/pem/server.key of the component ECDSA P-256 Private Key Handler. This manipulation causes use of hard-coded cryptographic key . It is possible to initiate the attack remotely. | |
| CVE-2025-12177 | Med | 0.34 | 5.3 | 0.00 | Nov 8, 2025 | The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache. | |
| CVE-2025-58069 | Med | 0.34 | 5.3 | 0.00 | Sep 23, 2025 | The use of a hard-coded cryptographic key was discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software contains a hard-coded AES key used to protect the initial messages of a new KOPS session. | |
| CVE-2025-6071 | Med | 0.34 | 5.3 | 0.00 | Jul 3, 2025 | Use of Hard-coded Cryptographic Key vulnerability in ABB RMC-100, ABB RMC-100 LITE. An attacker can gain access to salted information to decrypt MQTT information. This issue affects RMC-100: from 2105457-043 through 2105457-045; RMC-100 LITE: from 2106229-015 through 2106229-016. | |
| CVE-2025-12615 | Med | 0.33 | 5.0 | 0.00 | Nov 3, 2025 | A security vulnerability has been detected in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /onps/settings.py. Such manipulation of the argument SECRET_KEY leads to use of hard-coded cryptographic key . The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been disclosed publicly and may be used. | |
| CVE-2025-10250 | Med | 0.33 | 5.0 | 0.00 | Sep 11, 2025 | A weakness has been identified in DJI Mavic Spark, Mavic Air and Mavic Mini 01.00.0500. Affected is an unknown function of the component Telemetry Channel. Executing manipulation can lead to use of hard-coded cryptographic key . The attacker needs to be present on the local network. A high complexity level is associated with this attack. The exploitability is told to be difficult. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer. | |
| CVE-2017-9649 | Med | 0.33 | 5.0 | 0.00 | Sep 20, 2017 | A Use of Hard-Coded Cryptographic Key issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). An unchangeable, factory-set key is included in the 900 MHz transmitter firmware. | |
| CVE-2023-3404 | Med | 0.32 | 4.9 | 0.00 | Aug 31, 2023 | The ProfileGrid plugin for WordPress is vulnerable to unauthorized decryption of private information in versions up to, and including, 5.5.0. This is due to the passphrase and iv being hardcoded in the 'pm_encrypt_decrypt_pass' function and used across all sites running the plugin. This makes it possible for authenticated attackers, with administrator-level permissions or above to decrypt and view users' passwords. If combined with another vulnerability, this can potentially grant lower-privileged users access to users' passwords. | |
| CVE-2025-60250 | Med | 0.31 | 4.7 | 0.00 | Sep 26, 2025 | Unitree Go2, G1, H1, and B2 devices through 2025-09-20 decrypt BLE packet data by using the df98b715d5c6ed2b25817b6f2554124a key and the 2841ae97419c2973296a0d4bdfe19a4f IV. | |
| CVE-2025-13877 | Med | 0.29 | 5.6 | 0.00 | Dec 2, 2025 | A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-58426 | Med | 0.28 | 4.3 | 0.00 | Oct 16, 2025 | desknet's NEO V4.0R1.0 to V9.0R2.0 contains a hard-coded cryptographic key, which allows an attacker to create malicious AppSuite applications. | |
| CVE-2025-49164 | Med | 0.28 | 4.3 | 0.00 | Jun 3, 2025 | Arris VIP1113 devices through 2025-05-30 with KreaTV SDK have a firmware decryption key of cd1c2d78f2cba1f73ca7e697b4a485f49a8a7d0c8b0fdc9f51ced50f2530668a. | |
| CVE-2025-64304 | Med | 0.26 | 4.0 | 0.00 | Nov 25, 2025 | "FOD" App uses hard-coded cryptographic keys, which may allow a local unauthenticated attacker to retrieve the cryptographic keys. | |
| CVE-2024-52614 | Med | 0.26 | 4.0 | 0.00 | Nov 20, 2024 | Use of hard-coded cryptographic key issue exists in "Kura Sushi Official App Produced by EPARK" for Android versions prior to 3.8.5. If this vulnerability is exploited, a local attacker may obtain the login ID and password for the affected product. | |
| CVE-2026-5622 | Low | 0.24 | 3.7 | 0.00 | Apr 6, 2026 | A vulnerability was determined in hcengineering Huly Platform 0.7.382. Affected by this issue is some unknown functionality of the file foundations/core/packages/token/src/token.ts of the component JWT Token Handler. This manipulation of the argument SERVER_SECRET with the input secret causes use of hard-coded cryptographic key . The attack can be initiated remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2026-4588 | Low | 0.24 | 3.7 | 0.00 | Mar 23, 2026 | A vulnerability was determined in kalcaddle kodbox 1.64. Impacted is the function shareSafeGroup of the file /workspace/source-code/app/controller/explorer/shareOut.class.php of the component Site-level API key Handler. This manipulation of the argument sk causes use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2026-3963 | Low | 0.24 | 3.7 | 0.00 | Mar 11, 2026 | A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-15108 | Low | 0.24 | 3.7 | 0.00 | Dec 27, 2025 | A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit is now public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | |
| CVE-2025-15107 | Low | 0.24 | 3.7 | 0.00 | Dec 27, 2025 | A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release. | |
| CVE-2025-15105 | Low | 0.24 | 3.7 | 0.00 | Dec 27, 2025 | A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. |