Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-321 (使用硬编码的密码学密钥) — Vulnerability Class 248

248 vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥). AI Chinese analysis included.

CWE-321 represents a critical implementation weakness where software embeds static, unchangeable cryptographic keys directly into its source code or binary. This flaw severely compromises confidentiality and integrity because attackers can easily extract these keys through reverse engineering or simple code inspection, bypassing the need for complex decryption attacks. Once obtained, adversaries can impersonate legitimate users, decrypt sensitive data, or forge digital signatures with impunity. To mitigate this risk, developers must avoid hardcoding secrets entirely. Instead, they should implement robust key management systems that generate, store, and rotate keys dynamically. Utilizing secure hardware modules, operating system keychains, or dedicated secret management services ensures that cryptographic material remains isolated from the application logic, significantly raising the barrier for potential attackers seeking to compromise the system’s security posture.

MITRE CWE Description
The product uses a hard-coded, unchangeable cryptographic key.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data
If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Mitigations (1)
Architecture and DesignPrevention schemes mirror that of hard-coded password storage.
Examples (2)
The following code examples attempt to verify a password using a hard-coded cryptographic key.
int VerifyAdmin(char *password) { if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
public boolean VerifyAdmin(String password) { if (password.equals("68af404b513073584c4b6f22b6c63e6b")) { System.out.println("Entering Diagnostic Mode..."); return true; } System.out.println("Incorrect Password!"); return false;
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2021-40119 Cisco Policy Suite Static SSH Keys Vulnerability — Cisco Policy Suite (CPS) Software 9.8 Critical2021-11-04
CVE-2021-38461 AUVESY Versiondog — Versiondog 8.2 High2021-10-22
CVE-2021-32520 QSAN Storage Manager - Use of Hard-coded Cryptographic Key — Storage Manager 9.8 Critical2021-07-07
CVE-2021-27481 ZOLL Defibrillator Dashboard 信任管理问题漏洞 — ZOLL Defibrillator Dashboard 6.2 -2021-06-16
CVE-2021-27389 Siemens Digital Industries Software Opcenter Quality 安全漏洞 — Opcenter Quality 9.1 -2021-04-22
CVE-2021-27392 Siemens Open Network Bridge 信任管理问题漏洞 — Siveillance Video Open Network Bridge 8.8 -2021-04-22
CVE-2021-0266 cSRX: Use of Hard-coded Cryptographic Keys allows an attacker to take control of the device through device management services. — Junos OS 8.1 High2021-04-22
CVE-2020-7846 Helpcom 信任管理问题漏洞 — Helpcom 8.0 High2021-02-24
CVE-2020-25173 Reolink P2P Cameras — RLC-4XX series 7.8 -2021-01-26
CVE-2020-28391 Siemens SCALANCE X-200 信任管理问题问题漏洞 — SCALANCE X-200 switch family (incl. SIPLUS NET variants) 5.1 -2021-01-12
CVE-2020-28395 多款Siemens产品信任管理问题漏洞 — SCALANCE X-200RNA switch family 5.9 -2021-01-12
CVE-2020-25233 Siemens LOGO! 8 BM 安全漏洞 — LOGO! 8 BM (incl. SIPLUS variants) 5.5 -2020-12-14
CVE-2020-25234 Siemens LOGO! 8 BM 授权问题漏洞 — LOGO! 8 BM (incl. SIPLUS variants) 7.7 -2020-12-14
CVE-2020-25229 Siemens LOGO! 8 BM 信任管理问题漏洞 — LOGO! 8 BM (incl. SIPLUS variants) 7.5 -2020-12-14
CVE-2020-25231 Siemens LOGO! 8 BM 安全漏洞 — LOGO! 8 BM (incl. SIPLUS variants) 6.2 -2020-12-14
CVE-2020-25688 Red Hat Advanced Cluster Management 信任管理问题漏洞 — rhacm 4.4 -2020-11-23
CVE-2019-17098 Use of Hard-coded Cryptographic Key vulnerability in August Connect Wi-Fi Bridge App — Smart Lock and Connect Wi-Fi Bridge App 3.5 Low2020-09-30
CVE-2020-1764 Kiali 信任管理问题漏洞 — kiali 8.6 High2020-03-26
CVE-2020-10884 TP-Link Archer A7 AC1750 信任管理问题漏洞 — Archer A7 8.8 -2020-03-25
CVE-2020-6979 Moxa EDS-G516E和EDS-510E 信任管理问题漏洞 — Moxa EDS-G516E Series firmware, Version 5.2 or lower 7.5 -2020-03-24
CVE-2020-6983 Moxa PT-7528和PT-7828 信任管理问题漏洞 — Moxa PT-7528 series firmware, Version 4.0 or lower, PT-7828 series firmware, Version 3.9 or lower 7.5 -2020-03-24
CVE-2020-6990 多款Rockwell Automation产品信任管理问题漏洞 — Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior 9.8 -2020-03-16
CVE-2019-5137 Moxa AWK-3131A信任管理问题漏洞 — Moxa 7.5 -2020-02-25
CVE-2019-13929 Siemens SIMATIC IT Unified Architecture Discrete Manufacturing 安全特征问题漏洞 — SIMATIC IT UADM 6.5 -2019-10-10
CVE-2019-10963 摩莎 Moxa EDR 810 安全漏洞 — Moxa EDR 810 5.3 -2019-10-08
CVE-2019-10990 Red Lion Controls Crimson 信任管理问题漏洞 — Red Lion Controls Crimson (Windows configuration software) 7.5 -2019-09-23
CVE-2019-7594 Metasys use of hardcoded RC2 key — Metasys versions prior to 9.0 9.1 -2019-08-20
CVE-2019-10920 Siemens LOGO!8 BM 信任管理问题漏洞 — LOGO! 8 BM (incl. SIPLUS variants) 7.5 -2019-05-14
CVE-2018-3825 Elastic Cloud Enterprise 安全漏洞 — Elastic Cloud Enterprise (ECE) 5.9 -2018-09-19
CVE-2018-10896 cloud-init 安全漏洞 — cloud-init 6.8 -2018-08-01

Vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥) represent 248 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.