CWE-321
Use of Hard-coded Cryptographic Key
Description
The product uses a hard-coded, unchangeable cryptographic key.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (146)
page 4 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-33849 | Med | 0.42 | 6.5 | 0.00 | May 28, 2024 | ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key. | ||
| CVE-2023-32077 | Hig | 0.42 | 7.5 | 0.03 | Aug 24, 2023 | Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should… | ||
| CVE-2019-10990 | Med | 0.42 | 6.5 | 0.01 | Sep 23, 2019 | Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files. | ||
| CVE-2024-3109 | Med | 0.41 | 6.3 | 0.00 | May 3, 2024 | A hard-coded AES key vulnerability was reported in the Motorola GuideMe application, along with a lack of URI sanitation, could allow for a local attacker to read arbitrary files. | ||
| CVE-2026-9260 | Med | 0.40 | 6.2 | 0.00 | Jun 16, 2026 | Use of hard-coded cryptographic keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier | ||
| CVE-2025-55449 | — | Hig | 0.40 | 7.3 | 0.00 | May 8, 2026 | AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT. | |
| CVE-2022-23650 | Hig | 0.40 | 7.2 | 0.02 | Feb 18, 2022 | Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know… | ||
| CVE-2026-39810 | Med | 0.39 | 6.0 | 0.00 | Apr 14, 2026 | A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via decrypting database dump. | ||
| CVE-2024-47256 | — | Med | 0.39 | 6.0 | 0.00 | Feb 6, 2025 | Successful exploitation of this vulnerability could allow an attacker (who needs to have Admin access privileges) to read hardcoded AES passphrase, which may be used for decryption of certain data within backup files of 2N Access Commander version 1.14 and older. 2N has… | |
| CVE-2024-38532 | Hig | 0.39 | 7.1 | 0.00 | Jun 28, 2024 | The NXP Data Co-Processor (DCP) is a built-in hardware module for specific NXP SoCs¹ that implements a dedicated AES cryptographic engine for encryption/decryption operations. The dcp_tool reference implementation included in the repository selected the test key, regardless of… | ||
| CVE-2018-3825 | Med | 0.38 | 5.9 | 0.01 | Sep 19, 2018 | In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can… | ||
| CVE-2019-19754 | Med | 0.37 | 5.7 | 0.00 | Apr 30, 2024 | HiveOS through 0.6-102@191212 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as of 2019-09-26, the vendor indicated that they would consider fixing… | ||
| CVE-2026-7306 | Med | 0.36 | 5.6 | 0.00 | Apr 28, 2026 | A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the… | ||
| CVE-2025-13948 | Med | 0.36 | 5.6 | 0.00 | Dec 3, 2025 | A vulnerability was determined in opsre go-ldap-admin up to 20251011. This issue affects some unknown processing of the file docs/docker-compose/docker-compose.yaml of the component JWT Handler. Executing manipulation of the argument secret key can lead to use of hard-coded… | ||
| CVE-2025-11290 | Med | 0.36 | 5.6 | 0.00 | Oct 5, 2025 | A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack… | ||
| CVE-2025-2810 | — | Med | 0.36 | 5.5 | 0.00 | Aug 5, 2025 | A low privileged local attacker can abuse the affected service by using a hardcoded cryptographic key. | |
| CVE-2025-32730 | Med | 0.36 | 5.5 | 0.00 | Apr 24, 2025 | Use of hard-coded cryptographic key vulnerability in i-PRO Configuration Tool affects the network system for i-PRO Co., Ltd. surveillance cameras and recorders. This vulnerability allows a local authenticated attacker to use the authentication information from the last connected… | ||
| CVE-2025-66454 | Med | 0.35 | 6.5 | 0.00 | Dec 2, 2025 | Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows… | ||
| CVE-2025-54471 | Med | 0.35 | 6.5 | 0.00 | Oct 30, 2025 | NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data. | ||
| CVE-2024-45837 | Med | 0.35 | 5.4 | 0.00 | Nov 22, 2024 | Use of hard-coded cryptographic key issue exists in AIPHONE IX SYSTEM, IXG SYSTEM, and System Support Software. A network-adjacent unauthenticated attacker may log in to SFTP service and obtain and/or manipulate unauthorized files. |
- risk 0.42cvss 6.5epss 0.00
ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key.
- risk 0.42cvss 7.5epss 0.03
Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should…
- risk 0.42cvss 6.5epss 0.01
Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files.
- risk 0.41cvss 6.3epss 0.00
A hard-coded AES key vulnerability was reported in the Motorola GuideMe application, along with a lack of URI sanitation, could allow for a local attacker to read arbitrary files.
- risk 0.40cvss 6.2epss 0.00
Use of hard-coded cryptographic keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier
- risk 0.40cvss 7.3epss 0.00
AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.
- risk 0.40cvss 7.2epss 0.02
Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know…
- risk 0.39cvss 6.0epss 0.00
A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via decrypting database dump.
- risk 0.39cvss 6.0epss 0.00
Successful exploitation of this vulnerability could allow an attacker (who needs to have Admin access privileges) to read hardcoded AES passphrase, which may be used for decryption of certain data within backup files of 2N Access Commander version 1.14 and older. 2N has…
- risk 0.39cvss 7.1epss 0.00
The NXP Data Co-Processor (DCP) is a built-in hardware module for specific NXP SoCs¹ that implements a dedicated AES cryptographic engine for encryption/decryption operations. The dcp_tool reference implementation included in the repository selected the test key, regardless of…
- risk 0.38cvss 5.9epss 0.01
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can…
- risk 0.37cvss 5.7epss 0.00
HiveOS through 0.6-102@191212 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as of 2019-09-26, the vendor indicated that they would consider fixing…
- risk 0.36cvss 5.6epss 0.00
A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the…
- risk 0.36cvss 5.6epss 0.00
A vulnerability was determined in opsre go-ldap-admin up to 20251011. This issue affects some unknown processing of the file docs/docker-compose/docker-compose.yaml of the component JWT Handler. Executing manipulation of the argument secret key can lead to use of hard-coded…
- risk 0.36cvss 5.6epss 0.00
A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack…
- risk 0.36cvss 5.5epss 0.00
A low privileged local attacker can abuse the affected service by using a hardcoded cryptographic key.
- risk 0.36cvss 5.5epss 0.00
Use of hard-coded cryptographic key vulnerability in i-PRO Configuration Tool affects the network system for i-PRO Co., Ltd. surveillance cameras and recorders. This vulnerability allows a local authenticated attacker to use the authentication information from the last connected…
- risk 0.35cvss 6.5epss 0.00
Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows…
- risk 0.35cvss 6.5epss 0.00
NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.
- risk 0.35cvss 5.4epss 0.00
Use of hard-coded cryptographic key issue exists in AIPHONE IX SYSTEM, IXG SYSTEM, and System Support Software. A network-adjacent unauthenticated attacker may log in to SFTP service and obtain and/or manipulate unauthorized files.