Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-321 (使用硬编码的密码学密钥) — Vulnerability Class 248

248 vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥). AI Chinese analysis included.

CWE-321 represents a critical implementation weakness where software embeds static, unchangeable cryptographic keys directly into its source code or binary. This flaw severely compromises confidentiality and integrity because attackers can easily extract these keys through reverse engineering or simple code inspection, bypassing the need for complex decryption attacks. Once obtained, adversaries can impersonate legitimate users, decrypt sensitive data, or forge digital signatures with impunity. To mitigate this risk, developers must avoid hardcoding secrets entirely. Instead, they should implement robust key management systems that generate, store, and rotate keys dynamically. Utilizing secure hardware modules, operating system keychains, or dedicated secret management services ensures that cryptographic material remains isolated from the application logic, significantly raising the barrier for potential attackers seeking to compromise the system’s security posture.

MITRE CWE Description
The product uses a hard-coded, unchangeable cryptographic key.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data
If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Mitigations (1)
Architecture and DesignPrevention schemes mirror that of hard-coded password storage.
Examples (2)
The following code examples attempt to verify a password using a hard-coded cryptographic key.
int VerifyAdmin(char *password) { if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
public boolean VerifyAdmin(String password) { if (password.equals("68af404b513073584c4b6f22b6c63e6b")) { System.out.println("Entering Diagnostic Mode..."); return true; } System.out.println("Incorrect Password!"); return false;
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2022-34442 Dell EMC SCG Policy Manager 信任管理问题漏洞 — Secure Connect Gateway (SCG) Policy Manager 8.0 High2023-01-18
CVE-2022-34462 Dell EMC SCG Policy Manager 信任管理问题漏洞 — Secure Connect Gateway (SCG) Policy Manager 8.4 High2023-01-18
CVE-2017-5242 Rapid7 Nexpose Virtual Appliance Duplicate SSH Host Key — Nexpose Virtual Appliance 7.7 -2023-01-12
CVE-2022-34441 Dell EMC Secure Connect Gateway 信任管理问题漏洞 — Secure Connect Gateway (SCG) Policy Manager 8.0 High2023-01-11
CVE-2022-34440 Dell EMC Secure Connect Gateway 信任管理问题漏洞 — Secure Connect Gateway (SCG) Policy Manager 8.4 High2023-01-11
CVE-2022-36925 Insecure key generation for Zoom Rooms for macOS Clients — Zoom Rooms for macOS 4.4 Medium2023-01-09
CVE-2022-2660 Delta Electronics Industrial Automation DIALink 信任管理问题漏洞 — Industrial Automation DIALink 9.8 Critical2022-12-13
CVE-2022-2641 Horner Automation Remote Compact Controller 安全漏洞 — Remote Compact Controller (RCC) 972 9.8 Critical2022-12-12
CVE-2022-29830 Mitsubishi Electric GX Works3 信任管理问题漏洞 — GX Works3 9.1 Critical2022-11-24
CVE-2022-29829 Mitsubishi Electric GX Works3 信任管理问题漏洞 — GX Works3 6.8 Medium2022-11-24
CVE-2022-29828 Mitsubishi Electric GX Works3 信任管理问题漏洞 — GX Works3 6.8 Medium2022-11-24
CVE-2022-29827 Mitsubishi Electric GX Works3 信任管理问题漏洞 — GX Works3 6.8 Medium2022-11-24
CVE-2022-20868 多款Cisco产品信任管理问题漏洞 — Cisco Secure Web Appliance 4.7 Medium2022-11-03
CVE-2021-4228 Hard-coded TLS Certificate — IAC-AST2500A 5.8 Medium2022-10-24
CVE-2022-34425 Dell Enterprise SONiC OS 信任管理问题漏洞 — Enterprise SONiC OS 7.5 High2022-10-10
CVE-2022-1400 Hardcoded encryption key IV in Exago WebReportsApi.dll — CMDB 7.1 High2022-08-16
CVE-2022-29186 Use of Hard-coded Cryptographic Key in rundeck/rundeck, rundeckpro/enterprise — rundeck 9.1 Critical2022-05-20
CVE-2022-1701 SonicWall SMA1000 series 信任管理问题漏洞 — SonicWall SMA1000 7.5 -2022-05-13
CVE-2022-26020 InHand Networks InRouter Series 信任管理问题漏洞 — InRouter302 6.5 -2022-05-12
CVE-2022-20773 Cisco Umbrella Virtual Appliance Static SSH Host Key Vulnerability — Cisco Umbrella Insights Virtual Appliance 7.5 High2022-04-21
CVE-2022-24860 Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability. — databasir 7.4 High2022-04-19
CVE-2020-25193 GE Reason RT43X Clocks Use of Hard-coded Cryptographic Key — Reason RT43X Clocks 5.3 Medium2022-03-18
CVE-2020-25180 Rockwell Automation ISaGRAF5 Runtime Use of Hard-coded Cryptographic Key — ISaGRAF Runtime 5.3 Medium2022-03-18
CVE-2022-23650 Use of Hard-coded Cryptographic Key in Netmaker — netmaker 7.2 High2022-02-18
CVE-2022-0664 Use of Hard-coded Cryptographic Key in gravitl/netmaker — gravitl/netmaker 9.8 -2022-02-18
CVE-2022-22987 Advantech ADAM-3600 — ADAM-3600 9.8 Critical2022-02-04
CVE-2022-21199 Reolink RLC-410W 信任管理问题漏洞 — n/a 5.9 -2022-01-28
CVE-2021-23842 Use of Hard-coded Cryptographic Key — AMS 5.7 Medium2022-01-19
CVE-2021-43552 Philips Patient Information Center iX (PIC iX) and Efficia CM Series Use of Hard-coded Cryptographic Key — Patient Information Center iX (PIC iX) 6.1 Medium2021-12-27
CVE-2021-43587 Dell PowerPath Management Appliance安全漏洞 — PowerPath Management Appliance 8.2 High2021-12-21

Vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥) represent 248 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.