CWE-321
AllowedUse of Hard-coded Cryptographic Key
Abstraction: Variant · Status: Draft
The product uses a hard-coded, unchangeable cryptographic key.
503 vulnerabilities reference this CWE, most recent first.
GHSA-W7MJ-FRMJ-5G6G
Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-11 18:31In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.
{
"affected": [],
"aliases": [
"CVE-2026-33362"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T17:16:31Z",
"severity": "HIGH"
},
"details": "In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps \u003c= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.",
"id": "GHSA-w7mj-frmj-5g6g",
"modified": "2026-05-11T18:31:45Z",
"published": "2026-05-11T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33362"
},
{
"type": "WEB",
"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
},
{
"type": "WEB",
"url": "https://www.runzero.com/advisories/meari-sdk-hardcoded-cryptographic-keys-cve-2026-33362"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W7W2-59M3-J62X
Vulnerability from github – Published: 2026-04-20 06:31 – Updated: 2026-04-20 06:31SD-330AC and AMC Manager provided by silex technology, Inc. use a hard-coded cryptographic key. An administrative user may be directed to apply a fake firmware update.
{
"affected": [],
"aliases": [
"CVE-2026-32958"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-20T04:16:42Z",
"severity": "MODERATE"
},
"details": "SD-330AC and AMC Manager provided by silex technology, Inc. use a hard-coded cryptographic key. An administrative user may be directed to apply a fake firmware update.",
"id": "GHSA-w7w2-59m3-j62x",
"modified": "2026-04-20T06:31:26Z",
"published": "2026-04-20T06:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32958"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU94271449"
},
{
"type": "WEB",
"url": "https://www.silex.jp/support/security-advisories/2026-001"
},
{
"type": "WEB",
"url": "https://www.silex.jp/support/security-advisories/en/2026-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W9WJ-2HJP-GX85
Vulnerability from github – Published: 2024-11-18 06:30 – Updated: 2024-11-18 06:30The DVC from TRCore encrypts files using a hardcoded key. Attackers can use this key to decrypt the files and restore the original content.
{
"affected": [],
"aliases": [
"CVE-2024-11308"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T06:15:04Z",
"severity": "MODERATE"
},
"details": "The DVC from TRCore encrypts files using a hardcoded key. Attackers can use this key to decrypt the files and restore the original content.",
"id": "GHSA-w9wj-2hjp-gx85",
"modified": "2024-11-18T06:30:36Z",
"published": "2024-11-18T06:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11308"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-8241-1af92-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-8240-562c3-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WGJQ-HM36-R7R8
Vulnerability from github – Published: 2024-04-30 18:30 – Updated: 2025-03-25 21:31nvOC through 3.2 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as of 2019-12-01, the vendor indicated plans to fix this in the next image build.
{
"affected": [],
"aliases": [
"CVE-2019-19752"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-30T18:15:19Z",
"severity": "CRITICAL"
},
"details": "nvOC through 3.2 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as of 2019-12-01, the vendor indicated plans to fix this in the next image build.",
"id": "GHSA-wgjq-hm36-r7r8",
"modified": "2025-03-25T21:31:29Z",
"published": "2024-04-30T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19752"
},
{
"type": "WEB",
"url": "https://github.com/papampi/nvOC_by_fullzero_Community_Release/commits/release"
},
{
"type": "WEB",
"url": "https://rsaxvc.net/blog/2020/4/10/Widespread_re-use_of_SSH_Host_Keys_in_Ethereum_Mining_Rig_Operating_Systems.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WGX5-63FM-M4G7
Vulnerability from github – Published: 2025-09-24 00:30 – Updated: 2025-09-24 00:30The use of a hard-coded cryptographic key was discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software contains a hard-coded AES key used to protect the initial messages of a new KOPS session.
{
"affected": [],
"aliases": [
"CVE-2025-58069"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-23T22:15:34Z",
"severity": "MODERATE"
},
"details": "The use of a hard-coded cryptographic key was discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software contains a hard-coded AES key used to protect the initial messages of a new KOPS session.",
"id": "GHSA-wgx5-63fm-m4g7",
"modified": "2025-09-24T00:30:41Z",
"published": "2025-09-24T00:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58069"
},
{
"type": "WEB",
"url": "https://www.automationdirect.com/support/software-downloads"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WMWQ-58JV-2QJ3
Vulnerability from github – Published: 2022-04-22 00:00 – Updated: 2022-05-05 00:00A vulnerability in the key-based SSH authentication mechanism of Cisco Umbrella Virtual Appliance (VA) could allow an unauthenticated, remote attacker to impersonate a VA. This vulnerability is due to the presence of a static SSH host key. An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA. A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA. Note: SSH is not enabled by default on the Umbrella VA.
{
"affected": [],
"aliases": [
"CVE-2022-20773"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-21T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the key-based SSH authentication mechanism of Cisco Umbrella Virtual Appliance (VA) could allow an unauthenticated, remote attacker to impersonate a VA. This vulnerability is due to the presence of a static SSH host key. An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA. A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA. Note: SSH is not enabled by default on the Umbrella VA.",
"id": "GHSA-wmwq-58jv-2qj3",
"modified": "2022-05-05T00:00:47Z",
"published": "2022-04-22T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20773"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uva-static-key-6RQTRs4c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WP5Q-4QC3-582G
Vulnerability from github – Published: 2024-04-12 15:37 – Updated: 2024-05-16 21:31The Use of a Hard-coded Cryptographic Key vulnerability in Juniper Networks Juniper Cloud Native Router (JCNR) and containerized routing Protocol Deamon (cRPD) products allows an attacker to perform Person-in-the-Middle (PitM) attacks which results in complete compromise of the container.
Due to hardcoded SSH host keys being present on the container, a PitM attacker can intercept SSH traffic without being detected.
This issue affects Juniper Networks JCNR: * All versions before 23.4.
This issue affects Juniper Networks cRPD: * All versions before 23.4R1.
{
"affected": [],
"aliases": [
"CVE-2024-30407"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-12T15:15:25Z",
"severity": "HIGH"
},
"details": "The Use of a Hard-coded Cryptographic Key vulnerability in Juniper Networks\u00a0Juniper Cloud Native Router (JCNR)\u00a0and\u00a0containerized routing Protocol Deamon (cRPD) products allows an attacker to perform Person-in-the-Middle (PitM) attacks which results in complete compromise of the container. \n\nDue to hardcoded SSH host keys being present on the container, a PitM attacker can intercept SSH traffic without being detected.\u00a0\n\nThis issue affects Juniper Networks JCNR:\n * All versions before 23.4.\n\n\nThis issue affects Juniper Networks cRPD:\n * All versions before 23.4R1.\n\n\n",
"id": "GHSA-wp5q-4qc3-582g",
"modified": "2024-05-16T21:31:56Z",
"published": "2024-04-12T15:37:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30407"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA79106"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA79107"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQXQ-W68R-WG85
Vulnerability from github – Published: 2026-04-09 18:31 – Updated: 2026-04-10 21:34Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.
The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.
This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.
Users are recommended to upgrade to version 9.0.0, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.openmeetings:openmeetings-parent"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "9.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33266"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T21:23:53Z",
"nvd_published_at": "2026-04-09T16:16:26Z",
"severity": "HIGH"
},
"details": "Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.\n\nThe remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn\u0027t changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.\n\n\nThis issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue.",
"id": "GHSA-wqxq-w68r-wg85",
"modified": "2026-04-10T21:34:59Z",
"published": "2026-04-09T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33266"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/openmeetings"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/09/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache OpenMeetings Uses Hard-coded Cryptographic Key"
}
GHSA-WRQ7-4JJ9-F6RC
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48A vulnerability has been identified in Opcenter Quality (All versions < V12.2), QMS Automotive (All versions < V12.30). A private sign key is shipped with the product without adequate protection.
{
"affected": [],
"aliases": [
"CVE-2021-27389"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-22T21:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been identified in Opcenter Quality (All versions \u003c V12.2), QMS Automotive (All versions \u003c V12.30). A private sign key is shipped with the product without adequate protection.",
"id": "GHSA-wrq7-4jj9-f6rc",
"modified": "2022-05-24T17:48:17Z",
"published": "2022-05-24T17:48:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27389"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-788287.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WV9R-P2RC-JCRP
Vulnerability from github – Published: 2023-12-15 12:30 – Updated: 2024-10-14 06:30Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator’s account, to execute login account’s permissions, and obtain relevant information.
{
"affected": [],
"aliases": [
"CVE-2023-48392"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-15T10:15:07Z",
"severity": "CRITICAL"
},
"details": "Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator\u2019s account, to execute login account\u2019s permissions, and obtain relevant information.",
"id": "GHSA-wv9r-p2rc-jcrp",
"modified": "2024-10-14T06:30:43Z",
"published": "2023-12-15T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48392"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7622-57e5f-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Prevention schemes mirror that of hard-coded password storage.
No CAPEC attack patterns related to this CWE.