Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-321 (使用硬编码的密码学密钥) — Vulnerability Class 248

248 vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥). AI Chinese analysis included.

CWE-321 represents a critical implementation weakness where software embeds static, unchangeable cryptographic keys directly into its source code or binary. This flaw severely compromises confidentiality and integrity because attackers can easily extract these keys through reverse engineering or simple code inspection, bypassing the need for complex decryption attacks. Once obtained, adversaries can impersonate legitimate users, decrypt sensitive data, or forge digital signatures with impunity. To mitigate this risk, developers must avoid hardcoding secrets entirely. Instead, they should implement robust key management systems that generate, store, and rotate keys dynamically. Utilizing secure hardware modules, operating system keychains, or dedicated secret management services ensures that cryptographic material remains isolated from the application logic, significantly raising the barrier for potential attackers seeking to compromise the system’s security posture.

MITRE CWE Description
The product uses a hard-coded, unchangeable cryptographic key.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data
If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Mitigations (1)
Architecture and DesignPrevention schemes mirror that of hard-coded password storage.
Examples (2)
The following code examples attempt to verify a password using a hard-coded cryptographic key.
int VerifyAdmin(char *password) { if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
public boolean VerifyAdmin(String password) { if (password.equals("68af404b513073584c4b6f22b6c63e6b")) { System.out.println("Entering Diagnostic Mode..."); return true; } System.out.println("Incorrect Password!"); return false;
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2025-26476 Dell ECS 安全漏洞 — ECS 8.4 High2025-08-04
CVE-2025-38741 Dell Enterprise SONiC OS 安全漏洞 — Enterprise SONiC OS 7.5 High2025-08-04
CVE-2025-44963 RUCKUS Network Director 安全漏洞 — Network Director 9.0 Critical2025-08-04
CVE-2025-43483 Poly Clariti Manager - Multiple Security Vulnerabilities — Poly Clariti Manager 7.5 -2025-07-22
CVE-2025-6071 Hard Coded Key used for AES encryption — RMC-100 5.3 Medium2025-07-03
CVE-2025-6074 Authentication Bypass to the MQTT configuration Web Interface — RMC-100 6.5 Medium2025-07-03
CVE-2025-6669 gooaclok819 sublinkX jwt.go hard-coded key — sublinkX 3.7 Low2025-06-25
CVE-2025-5353 Ivanti Workspace Control 安全漏洞 — Workspace Control 8.8 High2025-06-10
CVE-2025-22463 Ivanti Workspace Control 安全漏洞 — Workspace Control 7.3 High2025-06-10
CVE-2025-22455 Ivanti Workspace Control 安全漏洞 — Workspace Control 8.8 High2025-06-10
CVE-2025-49164 Arris VIP1113 安全漏洞 — VIP1113 4.3 Medium2025-06-02
CVE-2025-5164 PerfreeBlog JWT JwtUtil hard-coded key — PerfreeBlog 3.7 Low2025-05-26
CVE-2025-48417 Hard-Coded Certificate and Private Key for HTTPS Web Interface in eCharge Hardy Barth cPH2 / cPP2 charging stations — cPH2 / cPP2 charging stations 8.1AIHighAI2025-05-21
CVE-2024-56429 itech iLabClient 安全漏洞 — iLabClient 7.7 High2025-05-21
CVE-2025-4876 Hardcoded Key Revealed in ConnectWise Password Encryption Utility — Risk Assessment 6.0 Medium2025-05-19
CVE-2025-45746 ZKTeco ZKBio CVSecurity 安全漏洞 — ZKBio CVSecurity 6.5 Medium2025-05-13
CVE-2024-58134 Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default — Mojolicious 7.7AIHighAI2025-05-03
CVE-2025-32730 i-PRO Surveillance Cameras和i-PRO Recorders 安全漏洞 — i-PRO Configuration Tool 7.8 -2025-04-24
CVE-2025-30206 Dpanel's hard-coded JWT secret leads to remote code execution — dpanel 9.8 Critical2025-04-15
CVE-2025-31362 OPEN BizRobo! 安全漏洞 — BizRobo! 9.1AICriticalAI2025-04-11
CVE-2025-3177 FastCMS JWT hard-coded key — FastCMS 5.0 Medium2025-04-03
CVE-2025-30406 Gladinet CentreStack 安全漏洞 — CentreStack 9.0 Critical2025-04-03
CVE-2025-30095 VyOS 安全漏洞 — VyOS 9.0 Critical2025-03-31
CVE-2025-30234 Joyent SmartOS 安全漏洞 — SmartOS 8.3 High2025-03-19
CVE-2024-54027 Fortinet FortiSandbox 安全漏洞 — FortiSandbox 7.8 High2025-03-17
CVE-2024-13773 Civi - Job Board & Freelance Marketplace WordPress Theme <= 2.1.4 - Sensitive Information Exposure — Civi - Job Board & Freelance Marketplace WordPress Theme 7.3 High2025-03-14
CVE-2025-26340 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 8.8 High2025-02-12
CVE-2024-33504 Fortinet FortiManager 安全漏洞 — FortiManager 3.9 Medium2025-02-11
CVE-2024-13842 Ivanti Connect Secure 安全漏洞 — Connect Secure 6.0 Medium2025-02-11
CVE-2024-28989 SolarWinds Web Help Desk Cryptographic Key Management Vulnerability — Web Help Desk 5.5 Medium2025-02-11

Vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥) represent 248 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.