CWE-321— Use of Hard-coded Cryptographic Key
276 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-321page 5 of 6
- CVE-2025-48417MEDIUMCVSS 6.5EG 6.52025-05-21
The certificate and private key used for providing transport layer security for connections to the web interface (TCP port 443) is hard-coded in the firmware and are shipped with the update files. An attacker can use the private key to per…
- CVE-2025-4876MEDIUMCVSS 6.0EG 6.02025-05-19
ConnectWise-Password-Encryption-Utility.exe in ConnectWise Risk Assessment allows an attacker to extract a hardcoded AES decryption key via reverse engineering. This key is embedded in plaintext within the binary and used in cryptographic …
- CVE-2025-49164MEDIUMCVSS 4.3EG 4.32025-06-03
Arris VIP1113 devices through 2025-05-30 with KreaTV SDK have a firmware decryption key of cd1c2d78f2cba1f73ca7e697b4a485f49a8a7d0c8b0fdc9f51ced50f2530668a.
- CVE-2025-5164LOWCVSS 3.7EG 3.72025-05-26
A vulnerability has been found in PerfreeBlog 4.0.11 and classified as problematic. This vulnerability affects the function JwtUtil of the component JWT Handler. The manipulation leads to use of hard-coded cryptographic key . The attack c…
- CVE-2025-52373MEDIUMCVSS 4.6EG 4.62025-07-21
Use of hardcoded cryptographic key in BlowFish.cpp in hMailServer 5.8.6 and 5.6.9-beta allows attacker to decrypt passwords used in database connections from hMailServer.ini config file.
- CVE-2025-52374MEDIUMCVSS 4.6EG 4.62025-07-21
Use of hardcoded cryptographic key in Encryption.cs in hMailServer 5.8.6 and 5.6.9-beta allows attacker to decrypt passwords to other servers from hMailAdmin.exe.config file to access other hMailServer admin consoles with configured connec…
- CVE-2025-52601HIGHCVSS 7.8EG 7.52025-12-26
Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in Device Manager that a hardcoded encryption key for sensitive information.…
- CVE-2025-5353HIGHCVSS 8.8EG 8.82025-06-10
A hardcoded key in Ivanti Workspace Control before version 10.19.10.0 allows a local authenticated attacker to decrypt stored SQL credentials.
- CVE-2025-54471MEDIUMCVSS 6.5EG 6.52025-10-30
NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.
- CVE-2025-54807CRITICALCVSS 9.8EG 9.82025-09-18
The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the signing key can bypass authentication, gaining complete access to the system.
- CVE-2025-54947CRITICALCVSS 9.8EG 9.82025-12-12
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically genera…
- CVE-2025-55112HIGHCVSS 7.4EG 7.42025-09-16
Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 (and potentially earlier unsupported versions) that are configured to use the non-default Blowfish cryptography algorithm use a hardcoded key. An attacker with access to network traf…
- CVE-2025-55449HIGHCVSS 7.3EG 7.32026-05-08
AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.
- CVE-2025-55619CRITICALCVSS 9.8EG 9.82025-08-22
Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engine…
- CVE-2025-56577HIGHCVSS 8.4EG 8.42025-08-29
An issue in Evope Core v.1.1.3.20 allows a local attacker to obtain sensitive information via the use of hard coded cryptographic keys.
- CVE-2025-56801MEDIUMCVSS 5.1EG 5.12025-10-21
The Reolink Desktop Application 8.18.12 contains hardcoded credentials as the Initialization Vector (IV) in its AES-CFB encryption implementation allowing attackers with access to the application environment to reliably decrypt encrypted c…
- CVE-2025-56802MEDIUMCVSS 5.1EG 5.12025-10-21
The Reolink desktop application uses a hard-coded and predictable AES encryption key to encrypt user configuration files allowing attackers with local access to decrypt sensitive application data stored in %APPDATA%. A different vulnerabil…
- CVE-2025-57174CRITICALCVSS 9.8EG 9.82025-09-15
An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other previous versions. The rfpiped service listening on TCP port 555 which uses static AES encryption keys ha…
- CVE-2025-58069MEDIUMCVSS 5.3EG 5.32025-09-23
The use of a hard-coded cryptographic key was discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software contains a hard-coded AES key used to protect the initial messages of a new KOP…
- CVE-2025-58426MEDIUMCVSS 4.3EG 4.32025-10-16
desknet's NEO V4.0R1.0 to V9.0R2.0 contains a hard-coded cryptographic key, which allows an attacker to create malicious AppSuite applications.
- CVE-2025-58740MEDIUMCVSS 5.5EG 5.52026-01-20
The use of a hard-coded encryption key in calls to the Password function in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows a local attacker to decrypt database credentials by reading the cryptographic key from the …
- CVE-2025-59407CRITICALCVSS 9.8EG 9.82025-10-02
The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) bundles a Java Keystore (flock_rye.bks) along wi…
- CVE-2025-60250MEDIUMCVSS 4.7EG 4.72025-09-26
Unitree Go2, G1, H1, and B2 devices through 2025-09-20 decrypt BLE packet data by using the df98b715d5c6ed2b25817b6f2554124a key and the 2841ae97419c2973296a0d4bdfe19a4f IV.
- CVE-2025-6071MEDIUMCVSS 5.3EG 5.32025-07-03
Use of Hard-coded Cryptographic Key vulnerability in ABB RMC-100, ABB RMC-100 LITE. An attacker can gain access to salted information to decrypt MQTT information. This issue affects RMC-100: from 2105457-043 through 2105457-045; RMC-100 …
- CVE-2025-6074MEDIUMCVSS 6.5EG 6.52025-07-03
Use of Hard-coded Cryptographic Key vulnerability in ABB RMC-100, ABB RMC-100 LITE. When the REST interface is enabled by the user, and an attacker gains access to source code and control network, the attacker can bypass the REST interf…
- CVE-2025-62581CRITICALCVSS 9.8EG 9.82026-01-16
Delta Electronics DIAView has multiple vulnerabilities.
- CVE-2025-63289CRITICALCVSS 9.1EG 9.12025-11-12
Sogexia Android App Compile Affected SDK v35, Max SDK 32 and fixed in v36, was discovered to contain hardcoded encryption keys in the encryption_helper.dart file
- CVE-2025-64304MEDIUMCVSS 4.0EG 4.02025-11-25
"FOD" App uses hard-coded cryptographic keys, which may allow a local unauthenticated attacker to retrieve the cryptographic keys.
- CVE-2025-65998HIGHCVSS 7.5EG 7.52025-11-24
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is alway…
- CVE-2025-66454MEDIUMCVSS 6.5EG 6.52025-12-02
Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, a…
- CVE-2025-6666LOWCVSS 2.0EG 2.02025-11-29
A vulnerability was determined in motogadget mo.lock Ignition Lock up to 20251125. Affected by this vulnerability is an unknown functionality of the component NFC Handler. Executing manipulation can lead to use of hard-coded cryptographic …
- CVE-2025-6669LOWCVSS 3.7EG 3.72025-06-25
A vulnerability was found in gooaclok819 sublinkX up to 1.8. It has been declared as problematic. This vulnerability affects unknown code of the file middlewares/jwt.go. The manipulation with the input sublink leads to use of hard-coded cr…
- CVE-2025-68948HIGHCVSS 8.1EG 8.12025-12-27
SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session e…
- CVE-2025-8625CRITICALCVSS 9.8EG 9.82025-09-30
The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key when no secret is defined and does not re…
- CVE-2025-8759LOWCVSS 3.7EG 3.72025-08-09
A vulnerability was found in TRENDnet TN-200 1.02b02. It has been declared as problematic. This vulnerability affects unknown code of the component Lighttpd. The manipulation of the argument secdownload.secret with the input neV3rUseMe lea…
- CVE-2025-9604LOWCVSS 3.7EG 3.72025-08-29
A vulnerability was identified in coze-studio up to 0.2.4. The impacted element is an unknown function of the file backend/domain/plugin/encrypt/aes.go. The manipulation of the argument AuthSecretKey/StateSecretKey/OAuthTokenSecretKey lead…
- CVE-2026-2103HIGHCVSS 7.1EG 7.12026-02-06
Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with a…
- CVE-2026-22586CRITICALCVSS 9.8EG 9.82026-01-24
Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. Th…
- CVE-2026-22906CRITICALCVSS 9.8EG 9.82026-02-09
User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the a…
- CVE-2026-24218HIGHCVSS 8.1EG 8.12026-05-20
NVIDIA DGX OS contains a vulnerability in the factory provisioning process, where the cloning of a base image causes identical SSH host keys to be deployed across multiple systems. The sharing of cryptographic identifiers across all simil…
- CVE-2026-25107MEDIUMCVSS 6.5EG 6.52026-05-13
ELECOM wireless LAN access point devices use a hard-coded cryptographic key when creating backups of configuration files. An attacker who knows the encryption key can tamper the configuration file of the product, and a victim administrator…
- CVE-2026-25505CRITICALCVSS 9.8EG 9.82026-02-04
Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This …
- CVE-2026-25894CRITICALCVSS 9.8EG 9.82026-02-09
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This aff…
- CVE-2026-26335CRITICALCVSS 9.8EG 9.82026-02-13
Calero VeraSMART versions prior to 2022 R1 use static ASP.NET/IIS machineKey values configured for the VeraSMART web application and stored in C:\\Program Files (x86)\\Veramark\\VeraSMART\\WebRoot\\web.config. An attacker who obtains thes…
- CVE-2026-31986CRITICALCVSS 9.1EG 9.12026-05-19
Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
- CVE-2026-32324HIGHCVSS 7.7EG 7.72026-04-17
Anviz CX7 Firmware is vulnerable because the application embeds reusable certificate/key material, enabling decryption of MQTT traffic and potential interaction with device messaging channels at scale.
- CVE-2026-32644CRITICALCVSS 9.8EG 9.82026-04-28
Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys.
- CVE-2026-32958MEDIUMCVSS 6.5EG 6.52026-04-20
SD-330AC and AMC Manager provided by silex technology, Inc. use a hard-coded cryptographic key. An administrative user may be directed to apply a fake firmware update.
- CVE-2026-33266HIGHCVSS 7.5EG 7.52026-04-09
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default enc…
- CVE-2026-33362HIGHCVSS 8.6EG 8.62026-05-11
In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material…
Map vulnerabilities like CWE-321 to your infrastructure
EchelonGraph correlates every CVE — across CWE-321 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →