Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-321 (使用硬编码的密码学密钥) — Vulnerability Class 248

248 vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥). AI Chinese analysis included.

CWE-321 represents a critical implementation weakness where software embeds static, unchangeable cryptographic keys directly into its source code or binary. This flaw severely compromises confidentiality and integrity because attackers can easily extract these keys through reverse engineering or simple code inspection, bypassing the need for complex decryption attacks. Once obtained, adversaries can impersonate legitimate users, decrypt sensitive data, or forge digital signatures with impunity. To mitigate this risk, developers must avoid hardcoding secrets entirely. Instead, they should implement robust key management systems that generate, store, and rotate keys dynamically. Utilizing secure hardware modules, operating system keychains, or dedicated secret management services ensures that cryptographic material remains isolated from the application logic, significantly raising the barrier for potential attackers seeking to compromise the system’s security posture.

MITRE CWE Description
The product uses a hard-coded, unchangeable cryptographic key.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data
If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Mitigations (1)
Architecture and DesignPrevention schemes mirror that of hard-coded password storage.
Examples (2)
The following code examples attempt to verify a password using a hard-coded cryptographic key.
int VerifyAdmin(char *password) { if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
public boolean VerifyAdmin(String password) { if (password.equals("68af404b513073584c4b6f22b6c63e6b")) { System.out.println("Entering Diagnostic Mode..."); return true; } System.out.println("Incorrect Password!"); return false;
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2025-1099 Information Disclosure Vulnerability in TP-Link Tapo C500 Wi-Fi Camera — Tapo C500 V1 Wi-Fi Camera 5.7 -2025-02-10
CVE-2024-47256 2N Access Commander 安全漏洞 — 2N Access Commander 6.0 Medium2025-02-06
CVE-2024-12078 ECOVACS lawnmowers and vacuums static BLE GATT encryption key — Unspecified robots 6.3 Medium2025-01-23
CVE-2024-50564 Fortinet FortiClientWindows 安全漏洞 — FortiClientWindows 3.2 Low2025-01-14
CVE-2023-37936 Fortinet FortiSwitch 安全漏洞 — FortiSwitch 9.6 Critical2025-01-14
CVE-2024-5722 Logsign Unified SecOps Platform HTTP API Hard-coded Cryptographic Key Remote Code Execution Vulnerability — Unified SecOps Platform 8.8 -2024-11-22
CVE-2024-45837 AIPHONE IX SYSTEM和AIPHONE IXG SYSTEM 安全漏洞 — IX-MV 8.8 -2024-11-22
CVE-2024-52614 EPARK Kura Sushi Official App 安全漏洞 — Kura Sushi Official App Produced by EPARK 7.8AIHighAI2024-11-20
CVE-2024-11308 TRCore DVC - Use of Hard-coded Cryptographic Key — DVC 6.2 Medium2024-11-18
CVE-2024-46889 Siemens SINEC INS 安全漏洞 — SINEC INS 5.3 Medium2024-11-12
CVE-2024-10920 mariazevedo88 travels-java-api JWT Secret JwtAuthenticationTokenFilter.java doFilterInternal hard-coded key — travels-java-api 3.1 Low2024-11-06
CVE-2024-38314 IBM Maximo Application Suite - Monitor Component information disclosure — Maximo Application Suite - Monitor Component 5.9 Medium2024-10-24
CVE-2024-20280 Cisco UCS Central Software Configuration Backup Static Key Vulnerability — Cisco Unified Computing System Central Software 6.3 Medium2024-10-16
CVE-2024-20350 Cisco Catalyst Center Static SSH Host Key Vulnerability — Cisco Digital Network Architecture Center (DNA Center) 7.5 High2024-09-25
CVE-2023-27584 Dragonfly2 vulnerable to hard coded cyptographic key — Dragonfly2 9.8 Critical2024-09-19
CVE-2024-42418 Avtec Outpost Use of Hard-coded Cryptographic Key — Outpost 0810 7.5 High2024-08-22
CVE-2024-6890 Journyx Unauthenticated Password Reset Bruteforce — Journyx (jtime) 8.1AIHighAI2024-08-07
CVE-2024-20323 Cisco Intelligent Node 安全漏洞 — Cisco Intelligent Node Manager 7.5 High2024-07-17
CVE-2024-38532 TEST_KEY used in example dcp_tool reference implementation — mxs-dcp 7.1 High2024-06-28
CVE-2024-5296 D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability — D-View 9.8AICriticalAI2024-05-23
CVE-2024-31410 CyberPower PowerPanel business Use of Hard-coded Cryptographic Key — PowerPanel business 7.7 High2024-05-15
CVE-2024-30207 Siemens 多款产品 安全漏洞 — SIMATIC RTLS Locating Manager 10.0 Critical2024-05-14
CVE-2024-3109 Motorola GuideMe 安全漏洞 — Phones 6.3 Medium2024-05-03
CVE-2023-39482 Softing Secure Integration Server Hardcoded Cryptographic Key Information Disclosure Vulnerability — Secure Integration Server 6.5 -2024-05-03
CVE-2023-39465 Triangle MicroWorks SCADA Data Gateway Use of Hard-coded Cryptograhic Key Information Disclosure Vulnerability — SCADA Data Gateway 7.5 -2024-05-03
CVE-2023-32169 D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability — D-View 9.8 -2024-05-03
CVE-2024-30407 [Child CVE] JCNR and cRPD: Hard-coded SSH host keys in cRPD may allow Person-in-the-Middle (PitM) attacks — cRPD 8.1 High2024-04-12
CVE-2023-38535 OpenText Exceed Turbo X 安全漏洞 — Exceed Turbo X 4.7 Medium2024-03-13
CVE-2024-2413 Intumit SmartRobot - Use of Hard-coded Cryptographic Key — SmartRobot 9.8 Critical2024-03-13
CVE-2024-1920 osuuu LightPicture TokenVerify.php handle hard-coded key — LightPicture 5.6 Medium2024-02-27

Vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥) represent 248 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.