Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-321 (使用硬编码的密码学密钥) — Vulnerability Class 248

248 vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥). AI Chinese analysis included.

CWE-321 represents a critical implementation weakness where software embeds static, unchangeable cryptographic keys directly into its source code or binary. This flaw severely compromises confidentiality and integrity because attackers can easily extract these keys through reverse engineering or simple code inspection, bypassing the need for complex decryption attacks. Once obtained, adversaries can impersonate legitimate users, decrypt sensitive data, or forge digital signatures with impunity. To mitigate this risk, developers must avoid hardcoding secrets entirely. Instead, they should implement robust key management systems that generate, store, and rotate keys dynamically. Utilizing secure hardware modules, operating system keychains, or dedicated secret management services ensures that cryptographic material remains isolated from the application logic, significantly raising the barrier for potential attackers seeking to compromise the system’s security posture.

MITRE CWE Description
The product uses a hard-coded, unchangeable cryptographic key.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data
If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Mitigations (1)
Architecture and DesignPrevention schemes mirror that of hard-coded password storage.
Examples (2)
The following code examples attempt to verify a password using a hard-coded cryptographic key.
int VerifyAdmin(char *password) { if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
public boolean VerifyAdmin(String password) { if (password.equals("68af404b513073584c4b6f22b6c63e6b")) { System.out.println("Entering Diagnostic Mode..."); return true; } System.out.println("Incorrect Password!"); return false;
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2026-8243 Industrial Application Software IAS Canias ERP JNLP Deployment Endpoint hard-coded key — Canias ERP 5.3 Medium2026-05-10
CVE-2026-6787 Usage of a hard-coded cryptographic key in WatchGuard Agent allows inclusion of code into existing process — WatchGuard Agent 8.4AIHighAI2026-05-06
CVE-2026-42518 Information Disclosure Vulnerability in e-Sushrut HMIS — e-Sushrut, Hospital Management Information System (HMIS) 9.1AICriticalAI2026-04-29
CVE-2026-7306 Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard-coded key — xxl-job 5.6 Medium2026-04-28
CVE-2026-32644 Milesight Cameras Use of Hard-coded Cryptographic Key — MS-Cxx63-PD 9.8 Critical2026-04-27
CVE-2026-7018 Datavane Datavines JWT Token TokenManager.java hard-coded key — Datavines 5.6 Medium2026-04-26
CVE-2026-6611 liangliangyy DjangoBlog File Upload Endpoint settings.py hard-coded key — DjangoBlog 3.1 Low2026-04-20
CVE-2026-32958 Silex SD-330AC和Silex AMC Manager 安全漏洞 — SD-330AC 6.5 Medium2026-04-20
CVE-2026-6580 liangliangyy DjangoBlog Amap API Call views.py hard-coded key — DjangoBlog 7.3 High2026-04-19
CVE-2026-32324 Anviz CX7 Firmware Use of Hard-coded Cryptographic Key — Anviz CX7 Firmware 7.7 High2026-04-17
CVE-2026-5426 KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value — KnowledgeDeliver 9.8AICriticalAI2026-04-16
CVE-2026-39810 Fortinet FortiClientEMS 安全漏洞 — FortiClientEMS 5.2 Medium2026-04-14
CVE-2026-33266 Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt — Apache OpenMeetings 9.8AICriticalAI2026-04-09
CVE-2026-5622 hcengineering Huly Platform JWT Token token.ts hard-coded key — Huly Platform 3.7 Low2026-04-06
CVE-2026-5549 Tenda AC10 RSA 2048-bit Private Key privkeySrv.pem hard-coded key — AC10 5.3 Medium2026-04-05
CVE-2026-5527 Tenda 4G03 Pro ECDSA P-256 Private Key server.key hard-coded key — 4G03 Pro 5.3 Medium2026-04-04
CVE-2015-10148 Hirschmann HiLCOS Hard-coded Credentials SSH SSL Keys — Hirschmann HiLCOS 7.5 High2026-04-03
CVE-2026-5471 Investory Toy Planet Trouble App app.investory.toyfactory google-services-desktop.json hard-coded key — Toy Planet Trouble App 3.3 Low2026-04-03
CVE-2026-5462 Wahoo Fitness SYSTM App com.WahooFitness.SYSTM BuildConfig.java hard-coded key — SYSTM App 3.3 Low2026-04-03
CVE-2026-5458 Noelse Individuals & Pro App com.afone.noelse BuildConfig.java hard-coded key — Individuals & Pro App 3.3 Low2026-04-03
CVE-2026-5457 PropertyGuru AgentNet Singapore App com.allproperty.android.agentnet BuildConfig.java hard-coded key — AgentNet Singapore App 3.3 Low2026-04-03
CVE-2026-5456 Align Technology My Invisalign App com.aligntech.myinvisalign.emea BuildConfig.java hard-coded key — My Invisalign App 3.3 Low2026-04-03
CVE-2026-5455 Dialogue App ca.diagram.dialogue config.json hard-coded key — Dialogue App 3.3 Low2026-04-03
CVE-2026-5454 GRID Organiser App co.gridapp.organiser app.json hard-coded key — Organiser App 3.3 Low2026-04-03
CVE-2026-5453 Rico só vantagem pra investir App br.com.rico.mobile SegmentSettingsModule.java hard-coded key — só vantagem pra investir App 3.3 Low2026-04-03
CVE-2026-5452 UCC CampusConnect App campusconnect.ucc BuildConfig.java hard-coded key — CampusConnect App 3.3 Low2026-04-03
CVE-2026-5420 Shinrays Games Goods Triple App cats.goods.sort.sorting.games jRwTX.java hard-coded key — Goods Triple App 2.5 Low2026-04-02
CVE-2026-5310 Enter Software Iperius Backup IperiusAccounts.ini hard-coded key — Iperius Backup 2.5 Low2026-04-01
CVE-2025-15605 Hardcoded Cryptographic Key in Configuration Encryption Mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 — Archer NX600 v3.0 7.1 -2026-03-23
CVE-2026-4588 kalcaddle kodbox Site-level API key shareOut.class.php shareSafeGroup hard-coded key — kodbox 3.7 Low2026-03-23

Vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥) represent 248 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.