VYPR

CWE-326

Inadequate Encryption Strength

ClassDraft

Description

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-112 · CAPEC-192 · CAPEC-20

CVEs mapped to this weakness (194)

page 3 of 10
  • CVE-2024-25102HigMar 6, 2024
    risk 0.51cvss 7.8epss 0.00

    This vulnerability exists in AppSamvid software due to the usage of a weaker cryptographic algorithm (hash) SHA1 in user login component. An attacker with local administrative privileges could exploit this to obtain the password of AppSamvid on the targeted system. Successful…

  • CVE-2016-2879HigMar 1, 2017
    risk 0.51cvss 7.8epss 0.00

    IBM QRadar 7.2 uses outdated hashing algorithms to hash certain passwords, which could allow a local user to obtain and decrypt user credentials. IBM Reference #: 1997341.

  • CVE-2026-8878HigJun 3, 2026
    risk 0.49cvss 7.5epss 0.00

    Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily…

  • CVE-2026-33361HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.

  • CVE-2025-46409HigAug 28, 2025
    risk 0.49cvss 7.5epss 0.00

    Inadequate encryption strength issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If this vulnerability is exploited, a function that requires authentication may be accessed by a remote unauthenticated attacker.

  • CVE-2025-32874HigJul 16, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in Kaseya Rapid Fire Tools Network Detective through 2.0.16.0. A vulnerability exists in the EncryptionUtil class because symmetric encryption is implemented in a deterministic and non-randomized fashion. The method Encrypt(byte[] clearData) derives both…

  • CVE-2024-54089HigFeb 11, 2025
    risk 0.49cvss 7.5epss 0.00

    A vulnerability has been identified in APOGEE PXC Series (BACnet) (All versions), APOGEE PXC Series (P2 Ethernet) (All versions), TALON TC Series (BACnet) (All versions). Affected devices contain a weak encryption mechanism based on a hard-coded key. This could allow an…

  • CVE-2018-1785HigSep 26, 2018
    risk 0.49cvss 7.5epss 0.01

    IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive information. IBM X-Force ID: 148870.

  • CVE-2018-1545HigSep 26, 2018
    risk 0.49cvss 7.5epss 0.01

    IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 142649.

  • CVE-2018-9028HigJun 18, 2018
    risk 0.49cvss 7.5epss 0.01

    Weak cryptography used for passwords in CA Privileged Access Manager 2.x reduces the complexity for password cracking.

  • CVE-2018-5184HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    Using remote content in encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.

  • CVE-2017-1255HigMay 2, 2018
    risk 0.49cvss 7.5epss 0.01

    IBM Security Guardium 10.0, 10.0.1, and 10.1 through 10.1.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 124675.

  • CVE-2017-17543HigApr 26, 2018
    risk 0.49cvss 7.5epss 0.00

    Users' VPN authentication credentials are unsafely encrypted in Fortinet FortiClient for Windows 5.6.0 and below versions, FortiClient for Mac OSX 5.6.0 and below versions and FortiClient SSLVPN Client for Linux 4.4.2335 and below versions, due to the use of a static encryption…

  • CVE-2017-1473HigApr 23, 2018
    risk 0.49cvss 7.5epss 0.01

    IBM Security Access Manager Appliance 8.0.0 through 8.0.1.6 and 9.0.0 through 9.0.3.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 128605.

  • CVE-2018-6635HigFeb 5, 2018
    risk 0.49cvss 7.5epss 0.01

    System Manager in Avaya Aura before 7.1.2 does not properly use SSL in conjunction with authentication, which allows remote attackers to bypass intended Remote Method Invocation (RMI) restrictions, aka SMGR-26896.

  • CVE-2018-6594HigFeb 3, 2018
    risk 0.49cvss 7.5epss 0.02

    lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional…

  • CVE-2018-5298HigJan 8, 2018
    risk 0.49cvss 7.5epss 0.00

    In the Procter & Gamble "Oral-B App" (aka com.pg.oralb.oralbapp) application 5.0.0 for Android, AES encryption with static parameters is used to secure the locally stored shared preferences. An attacker can gain access to locally stored user data more easily by leveraging access…

  • CVE-2017-1271HigDec 7, 2017
    risk 0.49cvss 7.5epss 0.01

    IBM Security Guardium 9.0, 9.1, and 9.5 supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is…

  • CVE-2017-13699HigNov 23, 2017
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. The password encryption method can be retrieved from the firmware. This encryption method is based on a chall value that is sent in cleartext as a POST parameter. An attacker could reverse the password…

  • CVE-2017-8174HigNov 22, 2017
    risk 0.49cvss 7.5epss 0.01

    Huawei USG6300 V100R001C30SPC300 and USG6600 with software of V100R001C30SPC500,V100R001C30SPC600,V100R001C30SPC700,V100R001C30SPC800 have a weak algorithm vulnerability. Attackers may exploit the weak algorithm vulnerability to crack the cipher text and cause confidential…