Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-321 (使用硬编码的密码学密钥) — Vulnerability Class 248

248 vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥). AI Chinese analysis included.

CWE-321 represents a critical implementation weakness where software embeds static, unchangeable cryptographic keys directly into its source code or binary. This flaw severely compromises confidentiality and integrity because attackers can easily extract these keys through reverse engineering or simple code inspection, bypassing the need for complex decryption attacks. Once obtained, adversaries can impersonate legitimate users, decrypt sensitive data, or forge digital signatures with impunity. To mitigate this risk, developers must avoid hardcoding secrets entirely. Instead, they should implement robust key management systems that generate, store, and rotate keys dynamically. Utilizing secure hardware modules, operating system keychains, or dedicated secret management services ensures that cryptographic material remains isolated from the application logic, significantly raising the barrier for potential attackers seeking to compromise the system’s security posture.

MITRE CWE Description
The product uses a hard-coded, unchangeable cryptographic key.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data
If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Mitigations (1)
Architecture and DesignPrevention schemes mirror that of hard-coded password storage.
Examples (2)
The following code examples attempt to verify a password using a hard-coded cryptographic key.
int VerifyAdmin(char *password) { if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
public boolean VerifyAdmin(String password) { if (password.equals("68af404b513073584c4b6f22b6c63e6b")) { System.out.println("Entering Diagnostic Mode..."); return true; } System.out.println("Incorrect Password!"); return false;
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2025-13316 Hard-coded encryption keys in Twonky Server — Twonky Server 9.8AICriticalAI2025-11-19
CVE-2025-12177 Download Manager <= 3.3.30 - Unauthenticated Cron Trigger due to Hardcoded Cron Key — Download Manager 5.3 Medium2025-11-08
CVE-2025-12615 PHPGurukul News Portal settings.py hard-coded key — News Portal 5.0 Medium2025-11-03
CVE-2025-12599 Multiple Devices are Sharing the Same Secrets for SDKSocket (TCP/5000) — BLU-IC2 7.5 -2025-11-01
CVE-2025-54471 NeuVector is shipping cryptographic material into its binary — neuvector 6.5 Medium2025-10-30
CVE-2025-46582 Private Key Disclosure Vulnerability in ZTE ZXMP M721 Product — ZXMP M721 7.7 High2025-10-27
CVE-2025-34500 Shuffle Master Deck Mate 2 Insecure Update Chain — Deck Mate 2 9.8 -2025-10-24
CVE-2025-11899 Flowring Technology|Agentflow - Use of Hard-coded Cryptographic Key — Agentflow 8.1 High2025-10-17
CVE-2025-58426 Desknets Neo 安全漏洞 — desknet's NEO 9.8AICriticalAI2025-10-16
CVE-2025-11609 code-projects Hospital Management System express-session hard-coded key — Hospital Management System 3.7 Low2025-10-11
CVE-2025-35052 Newforma Info Exchange (NIX) shared hard-coded secret key — Project Center 5.3 Medium2025-10-09
CVE-2025-11290 CRMEB JWT HMAC Secret hard-coded key — CRMEB 5.6 Medium2025-10-05
CVE-2025-24525 Keysight Ixia Vision Product Family Use of Hard-coded Cryptographic Key — Ixia Vision Product Family 7.5 High2025-09-30
CVE-2025-34217 Vasion Print (formerly PrinterLogic) Undocumented Hardcoded SSH Key — Print Virtual Appliance Host 9.8 -2025-09-30
CVE-2025-8625 Copypress Rest API 1.1 - 1.2 - Missing Configurable JWT Secret and File-Type Validation to Unauthenticated Remote Code Execution — Copypress Rest API 9.8 Critical2025-09-30
CVE-2025-34211 Vasion Print (formerly PrinterLogic) Hardcoded SSL Certificate and Private Keys — Print Virtual Appliance Host 7.5AIHighAI2025-09-29
CVE-2025-34234 Vasion Print (formerly PrinterLogic) Hardcoded Encryption Private Keys — Print Virtual Appliance Host 9.1AICriticalAI2025-09-29
CVE-2025-36326 IBM Controller information disclosure — Cognos Controller 3.7 Low2025-09-26
CVE-2025-60250 Unitree多款产品 安全漏洞 — Go2 4.7 Medium2025-09-26
CVE-2025-58069 AutomationDirect CLICK PLUS Use of Hard-coded Cryptographic Key — CLICK PLUS C0-0x CPU firmware 5.3 Medium2025-09-23
CVE-2025-54807 Dover Fueling Solutions ProGauge MagLink LX4 Devices Use of Hard-coded Cryptographic Key — ProGauge MagLink LX 4 9.8 Critical2025-09-18
CVE-2025-55112 BMC Control-M/Agent hardcoded Blowfish keys — Control-M/Agent 7.4 High2025-09-16
CVE-2025-10250 DJI Mavic Spark/Mavic Air/Mavic Mini Telemetry Channel hard-coded key — Mavic Spark 5.0 Medium2025-09-11
CVE-2025-10080 running-elephant Datart API AESUtil.java getTokensecret hard-coded key — Datart 3.1 Low2025-09-08
CVE-2025-30198 ECOVACS Vacuum and Base Station Hard-Coded WPA2-PSK — DEEBOT X1 Series 6.3 Medium2025-09-05
CVE-2025-30200 ECOVACS Vacuum and Base Station Hard-Coded AES Encryption — DEEBOT X1 Series 6.3 Medium2025-09-05
CVE-2025-9604 coze-studio aes.go hard-coded key — coze-studio 3.7 Low2025-08-29
CVE-2025-41702 egOS WebGUI Hard-Coded JWT Secret Enables Authentication Bypass — EG400Mk2-D11001-000101 9.8 Critical2025-08-26
CVE-2025-8759 TRENDnet TN-200 Lighttpd hard-coded key — TN-200 3.7 Low2025-08-09
CVE-2025-2810 Draeger: ICMHelper is vulnerable to use of Hard-coded Cryptographic Key — Draeger ICMHelper 5.5 Medium2025-08-05

Vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥) represent 248 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.