Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1394 — Vulnerability Class 15

15 vulnerabilities classified as CWE-1394. AI Chinese analysis included.

CWE-1394 represents a critical security weakness where software utilizes hardcoded or default cryptographic keys for sensitive operations, often to streamline manufacturing or initial deployment. This flaw is typically exploited by attackers who, knowing the static key, can easily decrypt protected data, forge digital signatures, or bypass authentication mechanisms without needing to reverse-engineer the application. Since the key remains constant across all instances of the product, a single breach compromises the entire user base. To mitigate this risk, developers must implement robust key management systems that generate unique, random keys for each deployment or user session. Furthermore, enforcing mandatory key rotation policies and requiring administrators to change default credentials during setup ensures that cryptographic integrity is maintained, preventing widespread exploitation of predictable secrets.

MITRE CWE Description
The product uses a default cryptographic key for potentially critical functionality. It is common practice for products to be designed to use default keys. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, it is easier for attackers to bypass authentication quickly across multiple organizations.
Common Consequences (1)
AuthenticationGain Privileges or Assume Identity
Mitigations (3)
RequirementsProhibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.
Effectiveness: High
Architecture and DesignForce the administrator to change the credential upon installation.
Effectiveness: High
Installation, OperationThe product administrator could change the defaults upon installation or during operation.
Effectiveness: Moderate
CVE IDTitleCVSSSeverityPublished
CVE-2026-5039 Predictable Default Cryptographic Key Used for DES Encryption in TP-Link TL-WL841N — TL-WL841N v13 8.8AIHighAI2026-04-23
CVE-2026-2215 rachelos WeRSS we-mp-rss JWT auth.py default key — WeRSS we-mp-rss 3.7 Low2026-02-09
CVE-2026-25815 Fortinet FortiOS 安全漏洞 — FortiOS 3.2 Low2026-02-05
CVE-2025-41742 Sprecher Automation: SPRECON-E series has a critical vulnerability due to the use of static cryptographic keys in system components — SPRECON-E-C 9.8 Critical2025-12-02
CVE-2025-41744 Sprecher Automation: SPRECON-E series has static default key material for TLS connections — SPRECON-E-C 9.1 Critical2025-12-02
CVE-2025-55049 Baicells NEUTRINO430 安全漏洞 — NEUTRINO430 9.1 Critical2025-09-09
CVE-2025-44954 RUCKUS SmartZone 安全漏洞 — SmartZone 9.0 Critical2025-08-04
CVE-2025-1688 System configuration password reset — XProtect VMS 5.5 Medium2025-04-15
CVE-2025-26849 DocuSnap 安全漏洞 — Docusnap 4.3 Medium2025-03-04
CVE-2024-48956 Serviceware Processes 安全漏洞 — n/a 9.8 Critical2024-12-09
CVE-2024-11619 macrozheng mall JWT Token default key — mall 5.0 Medium2024-11-22
CVE-2024-10748 Cosmote Greece What's Up App Realm Database RealmDB.java default key — What's Up App 2.5 Low2024-11-04
CVE-2024-1275 Vulnerability in Baxter Welch Allyn Connex Spot Monitor — Welch Allyn Connex Spot Monitor 9.8 -2024-05-31
CVE-2024-29037 Default secret use for initial deployment — datahub-helm 9.1 Critical2024-03-20
CVE-2023-6451 Publicly Known Cryptographic Machine Key In Procura Portal Application — Procura Portal 8.6 High2024-02-16

Vulnerabilities classified as CWE-1394 represent 15 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.