Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-321 (使用硬编码的密码学密钥) — Vulnerability Class 262

262 vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥). AI Chinese analysis included.

CWE-321 represents a critical implementation weakness where software embeds static, unchangeable cryptographic keys directly into its source code or binary. This flaw severely compromises confidentiality and integrity because attackers can easily extract these keys through reverse engineering or simple code inspection, bypassing the need for complex decryption attacks. Once obtained, adversaries can impersonate legitimate users, decrypt sensitive data, or forge digital signatures with impunity. To mitigate this risk, developers must avoid hardcoding secrets entirely. Instead, they should implement robust key management systems that generate, store, and rotate keys dynamically. Utilizing secure hardware modules, operating system keychains, or dedicated secret management services ensures that cryptographic material remains isolated from the application logic, significantly raising the barrier for potential attackers seeking to compromise the system’s security posture.

MITRE CWE Description
The product uses a hard-coded, unchangeable cryptographic key.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data
If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Mitigations (1)
Architecture and DesignPrevention schemes mirror that of hard-coded password storage.
Examples (2)
The following code examples attempt to verify a password using a hard-coded cryptographic key.
int VerifyAdmin(char *password) { if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
public boolean VerifyAdmin(String password) { if (password.equals("68af404b513073584c4b6f22b6c63e6b")) { System.out.println("Entering Diagnostic Mode..."); return true; } System.out.println("Incorrect Password!"); return false;
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2024-6890 Journyx Unauthenticated Password Reset Bruteforce — Journyx (jtime) 8.1AIHighAI2024-08-07
CVE-2024-20323 Cisco Intelligent Node 安全漏洞 — Cisco Intelligent Node Manager 7.5 High2024-07-17
CVE-2024-38532 TEST_KEY used in example dcp_tool reference implementation — mxs-dcp 7.1 High2024-06-28
CVE-2024-5296 D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability — D-View 9.8AICriticalAI2024-05-23
CVE-2024-31410 CyberPower PowerPanel business Use of Hard-coded Cryptographic Key — PowerPanel business 7.7 High2024-05-15
CVE-2024-30207 Siemens 多款产品 安全漏洞 — SIMATIC RTLS Locating Manager 10.0 Critical2024-05-14
CVE-2024-3109 Motorola GuideMe 安全漏洞 — Phones 6.3 Medium2024-05-03
CVE-2023-39482 Softing Secure Integration Server Hardcoded Cryptographic Key Information Disclosure Vulnerability — Secure Integration Server 6.5 -2024-05-03
CVE-2023-39465 Triangle MicroWorks SCADA Data Gateway Use of Hard-coded Cryptograhic Key Information Disclosure Vulnerability — SCADA Data Gateway 7.5 -2024-05-03
CVE-2023-32169 D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability — D-View 9.8 -2024-05-03
CVE-2024-30407 [Child CVE] JCNR and cRPD: Hard-coded SSH host keys in cRPD may allow Person-in-the-Middle (PitM) attacks — cRPD 8.1 High2024-04-12
CVE-2023-38535 OpenText Exceed Turbo X 安全漏洞 — Exceed Turbo X 4.7 Medium2024-03-13
CVE-2024-2413 Intumit SmartRobot - Use of Hard-coded Cryptographic Key — SmartRobot 9.8 Critical2024-03-13
CVE-2024-1920 osuuu LightPicture TokenVerify.php handle hard-coded key — LightPicture 5.6 Medium2024-02-27
CVE-2024-1631 agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate` — agent-js 9.1 Critical2024-02-21
CVE-2024-1258 Juanpao JPShop API params.php hard-coded key — JPShop 3.1 Low2024-02-06
CVE-2023-6482 Encryption key derived from static host information — Synaptics Fingerprint Driver 5.2 Medium2024-01-27
CVE-2023-49256 Predictable encryption passphrase used in publicly accessible configuration file — H8951-4G-ESP 7.5 -2024-01-12
CVE-2023-48392 Kaifa Technology WebITR - Hard-coded Cryptographic Key — WebITR 9.8 Critical2023-12-15
CVE-2023-40464 Use of hardcoded certificate and private key — ALEOS 8.1 High2023-12-04
CVE-2023-44318 Siemens 多款产品 安全漏洞 — RUGGEDCOM RM1224 LTE(4G) EU 4.9 Medium2023-11-14
CVE-2023-41137 AppsAnywhere 安全漏洞 — AppsAnywhere Client 8.0 High2023-11-09
CVE-2023-46129 xkeys Seal encryption used fixed key for all encryption — nkeys 7.5 High2023-10-30
CVE-2023-42492 EisBaer Scada - CWE-321: Use of Hard-coded Cryptographic Key — v3.0.6433.1964 7.1 High2023-10-25
CVE-2023-43637 Vault Key Partially Predetermined — EVE OS 7.8 High2023-09-21
CVE-2023-39982 MXsecurity Hardcoded Credential — MXsecurity Series 7.5 High2023-09-02
CVE-2023-3404 ProfileGrid <= 5.5.0 - Hardcoded Encryption Key — ProfileGrid – User Profiles, Groups and Communities 4.9 Medium2023-08-31
CVE-2023-32077 Netmaker has Hardcoded DNS Secret Key — netmaker 7.5 High2023-08-24
CVE-2023-3632 Hard-coded Cryptographic Key in Kunduz - Homework Helper App — Kunduz - Homework Helper App 9.8 Critical2023-08-09
CVE-2023-3947 Video Conferencing with Zoom <= 4.2.1 - Sensitive Information Exposure — Video Conferencing with Zoom 3.7 Low2023-07-26

Vulnerabilities classified as CWE-321 (使用硬编码的密码学密钥) represent 262 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.