Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-321 (使用硬编码的密码学密钥) — Vulnerability Class 248

248 vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥). AI Chinese analysis included.

CWE-321 represents a critical implementation weakness where software embeds static, unchangeable cryptographic keys directly into its source code or binary. This flaw severely compromises confidentiality and integrity because attackers can easily extract these keys through reverse engineering or simple code inspection, bypassing the need for complex decryption attacks. Once obtained, adversaries can impersonate legitimate users, decrypt sensitive data, or forge digital signatures with impunity. To mitigate this risk, developers must avoid hardcoding secrets entirely. Instead, they should implement robust key management systems that generate, store, and rotate keys dynamically. Utilizing secure hardware modules, operating system keychains, or dedicated secret management services ensures that cryptographic material remains isolated from the application logic, significantly raising the barrier for potential attackers seeking to compromise the system’s security posture.

MITRE CWE Description
The product uses a hard-coded, unchangeable cryptographic key.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data
If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Mitigations (1)
Architecture and DesignPrevention schemes mirror that of hard-coded password storage.
Examples (2)
The following code examples attempt to verify a password using a hard-coded cryptographic key.
int VerifyAdmin(char *password) { if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
public boolean VerifyAdmin(String password) { if (password.equals("68af404b513073584c4b6f22b6c63e6b")) { System.out.println("Entering Diagnostic Mode..."); return true; } System.out.println("Incorrect Password!"); return false;
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2026-4477 Yi Technology YI Home Camera WPA/WPS hard-coded key — YI Home Camera 3.1 Low2026-03-20
CVE-2026-3963 perfree go-fastdfs-web Apache Shiro RememberMe ShiroConfig.java rememberMeManager hard-coded key — go-fastdfs-web 3.7 Low2026-03-11
CVE-2025-14923 IBM WebSphere Application Server Liberty could provide weaker than expected security — WebSphere Application Server - Liberty 4.7 Medium2026-03-03
CVE-2026-0754 SIP Service Providers – Possible Impersonation of Poly Voice Device — VVX 7.5AIHighAI2026-03-03
CVE-2026-1442 Unitree UPK files Hard-Coded Key — UPK 7.8 High2026-02-27
CVE-2026-27519 Binardat 10G08-0800GSM Network Switch Hard-coded RC4 Encryption Key — 10G08-0800GSM Network Switch 7.5 High2026-02-24
CVE-2026-26335 Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE — VeraSMART 8.8AIHighAI2026-02-13
CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration — FUXA 9.8AICriticalAI2026-02-09
CVE-2026-22906 Hardcoded Key Allows Credential Disclosure — 0852-1322 9.8 Critical2026-02-09
CVE-2026-2103 Use of Hard-Coded Cryptographic Key for Password Storage — SyteLine ERP 7.1 High2026-02-06
CVE-2026-22586 Salesforce Marketing Cloud Engagement 安全漏洞 — Marketing Cloud Engagement 9.4 -2026-01-24
CVE-2025-58740 Hardcoded Encryption Key Enables Database Credential Access in Milner ImageDirector Capture — ImageDirector Capture 5.5AIMediumAI2026-01-20
CVE-2025-62581 DIAView - Authentication Bypass Vulnerability — DIAView 9.8 Critical2026-01-16
CVE-2025-15108 PandaXGO PandaX JWT Secret config.yml hard-coded key — PandaX 3.7 Low2025-12-27
CVE-2025-15107 actiontech sqle JWT Secret jwt.go hard-coded key — sqle 3.7 Low2025-12-27
CVE-2025-15105 getmaxun auth.ts hard-coded key — maxun 3.7 Low2025-12-27
CVE-2025-68948 SiYuan: Information Disclosure and Authentication Bypass via Hardcoded Session Secret — siyuan 8.4 -2025-12-27
CVE-2025-52601 Hardcoding sensitive information — Device Manager 4.3 -2025-12-26
CVE-2025-15016 Ragic|Enterprise Cloud Database - Hard-coded Cryptographic Key — Enterprise Cloud Database 9.8 Critical2025-12-22
CVE-2025-15005 CouchCMS reCAPTCHA config.example.php hard-coded key — CouchCMS 3.7 Low2025-12-22
CVE-2025-14651 MartialBE one-hub docker-compose.yml hard-coded key — one-hub 3.7 Low2025-12-14
CVE-2025-54947 Apache StreamPark: Use hard-coded key vulnerability — Apache StreamPark 9.8AICriticalAI2025-12-12
CVE-2025-34256 Advantech WISE-DeviceOn Server < 5.4 Hard-coded JWT Key Authentication Bypass — WISE-DeviceOn Server 9.8 -2025-12-05
CVE-2025-13948 opsre go-ldap-admin JWT docker-compose.yaml hard-coded key — go-ldap-admin 5.6 Medium2025-12-03
CVE-2025-66454 Arcade MCP Default Hardcoded Worker Secret Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints — arcade-mcp 6.5 Medium2025-12-02
CVE-2025-13877 nocobase JWT Service jwt-service.ts hard-coded key — nocobase 5.6 Medium2025-12-02
CVE-2025-11781 Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 — Circutor 7.8AIHighAI2025-12-02
CVE-2025-6666 motogadget mo.lock Ignition Lock NFC hard-coded key — mo.lock Ignition Lock 2.0 Low2025-11-29
CVE-2025-64304 FujiTelevison FOD app 安全漏洞 — "FOD" App for Android 5.5AIMediumAI2025-11-25
CVE-2025-65998 Apache Syncope: Default AES key used for internal password encryption — Apache Syncope 6.5AIMediumAI2025-11-24

Vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥) represent 248 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.