Common Weakness Enumeration

CWE-1394

Allowed

Use of Default Cryptographic Key

Abstraction: Base · Status: Incomplete

The product uses a default cryptographic key for potentially critical functionality.

32 vulnerabilities reference this CWE, most recent first.

GHSA-WMCV-82JV-V932

Vulnerability from github – Published: 2024-05-31 18:31 – Updated: 2024-05-31 18:31
VLAI
Details

Use of Default Cryptographic Key vulnerability in Baxter Welch Ally Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Ally Connex Spot Monitor in all versions prior to 1.52.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1394"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-31T18:15:10Z",
    "severity": null
  },
  "details": "Use of Default Cryptographic Key vulnerability in Baxter Welch Ally Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Ally Connex Spot Monitor in all versions prior to 1.52.",
  "id": "GHSA-wmcv-82jv-v932",
  "modified": "2024-05-31T18:31:16Z",
  "published": "2024-05-31T18:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1275"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XHQV-R4F7-V88G

Vulnerability from github – Published: 2025-04-15 12:30 – Updated: 2025-04-15 12:30
VLAI
Details

Milestone Systems has discovered a security vulnerability in Milestone XProtect installer that resets system configuration password after the upgrading from older versions using specific installers.

The system configuration password is an additional, optional protection that is enabled on the Management Server.

To mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure.

Any system upgraded with 2024 R1 or 2024 R2 release installer is vulnerable to this issue.

Systems upgraded from 2023 R3 or older with version 2025 R1 and newer are not affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1394",
      "CWE-311"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T11:15:44Z",
    "severity": "MODERATE"
  },
  "details": "Milestone Systems has discovered a\nsecurity vulnerability in Milestone XProtect installer that resets system\nconfiguration password after the upgrading from older versions using specific\ninstallers.\n\n\n\nThe system configuration\npassword is an additional, optional protection that is enabled on the\nManagement Server.\n\n\nTo mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure.\n\n\n\nAny system upgraded with\n2024 R1 or 2024 R2 release installer is vulnerable to this issue.\n\n\n\nSystems upgraded from 2023\nR3 or older with version 2025 R1 and newer are not affected.",
  "id": "GHSA-xhqv-r4f7-v88g",
  "modified": "2025-04-15T12:30:24Z",
  "published": "2025-04-15T12:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1688"
    },
    {
      "type": "WEB",
      "url": "https://supportcommunity.milestonesys.com/KBRedir?art=000069835\u0026lang=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Requirements

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

Mitigation
Architecture and Design

Force the administrator to change the credential upon installation.

Mitigation
Installation Operation

The product administrator could change the defaults upon installation or during operation.

No CAPEC attack patterns related to this CWE.