CWE-1394
AllowedUse of Default Cryptographic Key
Abstraction: Base · Status: Incomplete
The product uses a default cryptographic key for potentially critical functionality.
32 vulnerabilities reference this CWE, most recent first.
GHSA-WMCV-82JV-V932
Vulnerability from github – Published: 2024-05-31 18:31 – Updated: 2024-05-31 18:31Use of Default Cryptographic Key vulnerability in Baxter Welch Ally Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Ally Connex Spot Monitor in all versions prior to 1.52.
{
"affected": [],
"aliases": [
"CVE-2024-1275"
],
"database_specific": {
"cwe_ids": [
"CWE-1394"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-31T18:15:10Z",
"severity": null
},
"details": "Use of Default Cryptographic Key vulnerability in Baxter Welch Ally Connex Spot Monitor may allow Configuration/Environment Manipulation.This issue affects Welch Ally Connex Spot Monitor in all versions prior to 1.52.",
"id": "GHSA-wmcv-82jv-v932",
"modified": "2024-05-31T18:31:16Z",
"published": "2024-05-31T18:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1275"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XHQV-R4F7-V88G
Vulnerability from github – Published: 2025-04-15 12:30 – Updated: 2025-04-15 12:30Milestone Systems has discovered a security vulnerability in Milestone XProtect installer that resets system configuration password after the upgrading from older versions using specific installers.
The system configuration password is an additional, optional protection that is enabled on the Management Server.
To mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure.
Any system upgraded with 2024 R1 or 2024 R2 release installer is vulnerable to this issue.
Systems upgraded from 2023 R3 or older with version 2025 R1 and newer are not affected.
{
"affected": [],
"aliases": [
"CVE-2025-1688"
],
"database_specific": {
"cwe_ids": [
"CWE-1394",
"CWE-311"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-15T11:15:44Z",
"severity": "MODERATE"
},
"details": "Milestone Systems has discovered a\nsecurity vulnerability in Milestone XProtect installer that resets system\nconfiguration password after the upgrading from older versions using specific\ninstallers.\n\n\n\nThe system configuration\npassword is an additional, optional protection that is enabled on the\nManagement Server.\n\n\nTo mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure.\n\n\n\nAny system upgraded with\n2024 R1 or 2024 R2 release installer is vulnerable to this issue.\n\n\n\nSystems upgraded from 2023\nR3 or older with version 2025 R1 and newer are not affected.",
"id": "GHSA-xhqv-r4f7-v88g",
"modified": "2025-04-15T12:30:24Z",
"published": "2025-04-15T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1688"
},
{
"type": "WEB",
"url": "https://supportcommunity.milestonesys.com/KBRedir?art=000069835\u0026lang=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.
Mitigation
Force the administrator to change the credential upon installation.
Mitigation
The product administrator could change the defaults upon installation or during operation.
No CAPEC attack patterns related to this CWE.