Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-321 (使用硬编码的密码学密钥) — Vulnerability Class 248

248 vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥). AI Chinese analysis included.

CWE-321 represents a critical implementation weakness where software embeds static, unchangeable cryptographic keys directly into its source code or binary. This flaw severely compromises confidentiality and integrity because attackers can easily extract these keys through reverse engineering or simple code inspection, bypassing the need for complex decryption attacks. Once obtained, adversaries can impersonate legitimate users, decrypt sensitive data, or forge digital signatures with impunity. To mitigate this risk, developers must avoid hardcoding secrets entirely. Instead, they should implement robust key management systems that generate, store, and rotate keys dynamically. Utilizing secure hardware modules, operating system keychains, or dedicated secret management services ensures that cryptographic material remains isolated from the application logic, significantly raising the barrier for potential attackers seeking to compromise the system’s security posture.

MITRE CWE Description
The product uses a hard-coded, unchangeable cryptographic key.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data
If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Mitigations (1)
Architecture and DesignPrevention schemes mirror that of hard-coded password storage.
Examples (2)
The following code examples attempt to verify a password using a hard-coded cryptographic key.
int VerifyAdmin(char *password) { if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
public boolean VerifyAdmin(String password) { if (password.equals("68af404b513073584c4b6f22b6c63e6b")) { System.out.println("Entering Diagnostic Mode..."); return true; } System.out.println("Incorrect Password!"); return false;
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2024-1631 agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate` — agent-js 9.1 Critical2024-02-21
CVE-2024-1258 Juanpao JPShop API params.php hard-coded key — JPShop 3.1 Low2024-02-06
CVE-2023-6482 Encryption key derived from static host information — Synaptics Fingerprint Driver 5.2 Medium2024-01-27
CVE-2023-49256 Predictable encryption passphrase used in publicly accessible configuration file — H8951-4G-ESP 7.5 -2024-01-12
CVE-2023-48392 Kaifa Technology WebITR - Hard-coded Cryptographic Key — WebITR 9.8 Critical2023-12-15
CVE-2023-40464 Use of hardcoded certificate and private key — ALEOS 8.1 High2023-12-04
CVE-2023-44318 Siemens 多款产品 安全漏洞 — RUGGEDCOM RM1224 LTE(4G) EU 4.9 Medium2023-11-14
CVE-2023-41137 AppsAnywhere 安全漏洞 — AppsAnywhere Client 8.0 High2023-11-09
CVE-2023-46129 xkeys Seal encryption used fixed key for all encryption — nkeys 7.5 High2023-10-30
CVE-2023-42492 EisBaer Scada - CWE-321: Use of Hard-coded Cryptographic Key — v3.0.6433.1964 7.1 High2023-10-25
CVE-2023-43637 Vault Key Partially Predetermined — EVE OS 7.8 High2023-09-21
CVE-2023-39982 MXsecurity Hardcoded Credential — MXsecurity Series 7.5 High2023-09-02
CVE-2023-3404 ProfileGrid <= 5.5.0 - Hardcoded Encryption Key — ProfileGrid – User Profiles, Groups and Communities 4.9 Medium2023-08-31
CVE-2023-32077 Netmaker has Hardcoded DNS Secret Key — netmaker 7.5 High2023-08-24
CVE-2023-3632 Hard-coded Cryptographic Key in Kunduz - Homework Helper App — Kunduz - Homework Helper App 9.8 Critical2023-08-09
CVE-2023-3947 Video Conferencing with Zoom <= 4.2.1 - Sensitive Information Exposure — Video Conferencing with Zoom 3.7 Low2023-07-26
CVE-2023-37291 Galaxy Software Services Vitals ESP - Use of Hard-coded Cryptographic Key — Vitals ESP 8.6 High2023-07-21
CVE-2023-34123 SonicWALL GMS和SonicWALL Analytics 信任管理问题漏洞 — GMS 9.8 -2023-07-12
CVE-2023-22844 Milesight VPN 安全漏洞 — MilesightVPN 7.3 High2023-07-06
CVE-2023-34338 hard coded cryptographic key — MegaRAC_SPx 7.1 High2023-07-05
CVE-2023-3371 EmbedPress <= 3.7.3 - Sensitive Information Exposure — EmbedPress – PDF Embedder, Embed YouTube Videos, 3D FlipBook, Social feeds, Docs & more 5.3 Medium2023-06-27
CVE-2023-2637 Rockwell Automation FactoryTalk System Services Vulnerable To Use Of Hard-Coded Cryptographic Key — FactoryTalk System Services 7.3 High2023-06-13
CVE-2023-21404 AXIS OS 安全漏洞 — AXIS OS 7.7 -2023-05-08
CVE-2023-2158 Impersonation through User-Controlled Token — Code Dx 9.1 -2023-04-27
CVE-2023-0391 MGT-COMMERCE CloudPanel Shared Certificate — CloudPanel 8.1 -2023-03-21
CVE-2023-27583 Panindex uses hard coded cyptographic key — PanIndex 9.8 Critical2023-03-13
CVE-2023-20016 Cisco FXOS Software and UCS Manager Software Configuration Backup Static Key Vulnerability — Cisco Unified Computing System (Managed) 6.3 Medium2023-02-23
CVE-2023-21705 Microsoft SQL Server Remote Code Execution Vulnerability — Microsoft SQL Server 2012 Service Pack 4 (QFE) 8.8 High2023-02-14
CVE-2022-34386 Dell SupportAssist for Home PCs 信任管理问题漏洞 — SupportAssist Client Consumer 5.5 Medium2023-02-10
CVE-2023-20038 Cisco Industrial Network Director 信任管理问题漏洞 — Cisco Industrial Network Director 8.8 High2023-01-19

Vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥) represent 248 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.