CWE-321
AllowedUse of Hard-coded Cryptographic Key
Abstraction: Variant · Status: Draft
The product uses a hard-coded, unchangeable cryptographic key.
504 vulnerabilities reference this CWE, most recent first.
GHSA-5Q75-FHMP-PJMR
Vulnerability from github – Published: 2026-02-06 18:30 – Updated: 2026-02-06 18:30Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt all stored credentials.
{
"affected": [],
"aliases": [
"CVE-2026-2103"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-06T17:16:28Z",
"severity": "HIGH"
},
"details": "Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt all stored credentials.",
"id": "GHSA-5q75-fhmp-pjmr",
"modified": "2026-02-06T18:30:32Z",
"published": "2026-02-06T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2103"
},
{
"type": "WEB",
"url": "https://blog.blacklanternsecurity.com/p/cve-2026-2103-infor-syteline-erp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5RG7-HR8V-2P3G
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37A Use of Hard-coded Cryptographic Key issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G version 1.4, JetNet5728G-24P version 1.4, JetNet5828G version 1.1d, JetNet6710G-HVDC version 1.1e, and JetNet6710G version 1.1. An attacker may gain access to hard-coded certificates and private keys allowing the attacker to perform man-in-the-middle attacks.
{
"affected": [],
"aliases": [
"CVE-2017-14021"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-01T02:29:00Z",
"severity": "CRITICAL"
},
"details": "A Use of Hard-coded Cryptographic Key issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G version 1.4, JetNet5728G-24P version 1.4, JetNet5828G version 1.1d, JetNet6710G-HVDC version 1.1e, and JetNet6710G version 1.1. An attacker may gain access to hard-coded certificates and private keys allowing the attacker to perform man-in-the-middle attacks.",
"id": "GHSA-5rg7-hr8v-2p3g",
"modified": "2022-05-13T01:37:40Z",
"published": "2022-05-13T01:37:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14021"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-299-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101598"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5VW4-6M45-994C
Vulnerability from github – Published: 2025-11-08 06:30 – Updated: 2025-11-08 06:30The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.
{
"affected": [],
"aliases": [
"CVE-2025-12177"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-08T04:15:45Z",
"severity": "MODERATE"
},
"details": "The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.",
"id": "GHSA-5vw4-6m45-994c",
"modified": "2025-11-08T06:30:26Z",
"published": "2025-11-08T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12177"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3390068%40download-manager\u0026new=3390068%40download-manager\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17d5253c-5000-40c7-a7fd-f75d4badfb5e?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5X8Q-JJ28-QG7W
Vulnerability from github – Published: 2023-08-09 09:30 – Updated: 2026-05-21 15:33Use of Hard-coded Cryptographic Key vulnerability in Sifir Bes Education and Informatics Kunduz - Homework Helper App allows Authentication Abuse, Authentication Bypass.This issue affects Kunduz - Homework Helper App: before 6.2.3.
{
"affected": [],
"aliases": [
"CVE-2023-3632"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-09T09:15:14Z",
"severity": "CRITICAL"
},
"details": "Use of Hard-coded Cryptographic Key vulnerability in Sifir Bes Education and Informatics Kunduz - Homework Helper App allows Authentication Abuse, Authentication Bypass.This issue affects Kunduz - Homework Helper App: before 6.2.3.",
"id": "GHSA-5x8q-jj28-qg7w",
"modified": "2026-05-21T15:33:59Z",
"published": "2023-08-09T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3632"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-23-0446"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-23-0446"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6498-6RJ5-P7PF
Vulnerability from github – Published: 2025-08-26 06:31 – Updated: 2025-08-26 06:31The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key.
{
"affected": [],
"aliases": [
"CVE-2025-41702"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-26T06:15:32Z",
"severity": "CRITICAL"
},
"details": "The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key.",
"id": "GHSA-6498-6rj5-p7pf",
"modified": "2025-08-26T06:31:01Z",
"published": "2025-08-26T06:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41702"
},
{
"type": "WEB",
"url": "https://certvde.com/de/advisories/VDE-2025-076"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-64RH-R86Q-75FF
Vulnerability from github – Published: 2021-05-18 18:28 – Updated: 2021-05-06 21:51A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kiali/kiali"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.15.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-1764"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-06T21:51:32Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.",
"id": "GHSA-64rh-r86q-75ff",
"modified": "2021-05-06T21:51:32Z",
"published": "2021-05-18T18:28:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1764"
},
{
"type": "WEB",
"url": "https://github.com/kiali/kiali/commit/93f5cd0b6698e8fe8772afb8f35816f6c086aef1"
},
{
"type": "WEB",
"url": "https://github.com/kiali/kiali/commit/ac7bd6c7ddb2e01356e21d360dd1c718a90706ad"
},
{
"type": "WEB",
"url": "https://github.com/kiali/kiali/commit/ce48af57113c805a25179aaab1a0fac2fb93653f"
},
{
"type": "WEB",
"url": "https://github.com/kiali/kiali/commit/faed1f5f90efae3df9fd6fb793f00ccc242b3a96"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1810383"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764"
},
{
"type": "WEB",
"url": "https://github.com/jpts/cve-2020-1764-poc"
},
{
"type": "WEB",
"url": "https://kiali.io/news/security-bulletins/kiali-security-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Hard coded cryptographic key in Kiali"
}
GHSA-6625-M396-M7CP
Vulnerability from github – Published: 2026-04-17 21:31 – Updated: 2026-04-17 21:31Anviz CX7 Firmware is vulnerable because the application embeds reusable certificate/key material, enabling decryption of MQTT traffic and potential interaction with device messaging channels at scale.
{
"affected": [],
"aliases": [
"CVE-2026-32324"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-17T20:16:33Z",
"severity": "HIGH"
},
"details": "Anviz CX7 Firmware\u00a0is\u00a0\nvulnerable because the application embeds reusable certificate/key \nmaterial, enabling decryption of MQTT traffic and potential interaction \nwith device messaging channels at scale.",
"id": "GHSA-6625-m396-m7cp",
"modified": "2026-04-17T21:31:46Z",
"published": "2026-04-17T21:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32324"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json"
},
{
"type": "WEB",
"url": "https://www.anviz.com/contact-us.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-66Q5-93C3-XQ5W
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3), LOGO! Soft Comfort (All versions < V8.3). The LOGO! program files generated and used by the affected components offer the possibility to save user-defined functions (UDF) in a password protected way. This protection is implemented in the software that displays the information. An attacker could reverse engineer the UDFs directly from stored program files.
{
"affected": [],
"aliases": [
"CVE-2020-25234"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-14T21:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions \u003c V8.3), LOGO! Soft Comfort (All versions \u003c V8.3). The LOGO! program files generated and used by the affected components offer the possibility to save user-defined functions (UDF) in a password protected way. This protection is implemented in the software that displays the information. An attacker could reverse engineer the UDFs directly from stored program files.",
"id": "GHSA-66q5-93c3-xq5w",
"modified": "2022-05-24T17:36:18Z",
"published": "2022-05-24T17:36:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25234"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-480824.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-66RR-38W2-26RV
Vulnerability from github – Published: 2023-07-26 06:30 – Updated: 2024-04-04 06:21The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'vczapi_encrypt_decrypt' function in versions up to, and including, 4.2.1. This makes it possible for unauthenticated attackers to decrypt and view the meeting id and password.
{
"affected": [],
"aliases": [
"CVE-2023-3947"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-26T04:15:11Z",
"severity": "MODERATE"
},
"details": "The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the \u0027vczapi_encrypt_decrypt\u0027 function in versions up to, and including, 4.2.1. This makes it possible for unauthenticated attackers to decrypt and view the meeting id and password.",
"id": "GHSA-66rr-38w2-26rv",
"modified": "2024-04-04T06:21:34Z",
"published": "2023-07-26T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3947"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/tags/4.2.1/includes/helpers.php#L546"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/trunk/includes/Helpers/Encryption.php?rev=2942302"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ba2515d9-ced0-4b49-87c4-04c8391c2608?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-685X-Q473-XPPX
Vulnerability from github – Published: 2024-03-14 00:31 – Updated: 2024-03-14 00:31Use of Hard-coded Cryptographic Key vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.1 and 12.5.2. The vulnerability could compromise the cryptographic keys.
{
"affected": [],
"aliases": [
"CVE-2023-38535"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-13T22:15:08Z",
"severity": "MODERATE"
},
"details": "Use of Hard-coded Cryptographic Key vulnerability in\u00a0OpenText\u2122\u00a0Exceed Turbo X affecting versions 12.5.1 and 12.5.2. The vulnerability could compromise the cryptographic keys.\u00a0\u00a0",
"id": "GHSA-685x-q473-xppx",
"modified": "2024-03-14T00:31:05Z",
"published": "2024-03-14T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38535"
},
{
"type": "WEB",
"url": "https://support.opentext.com/csm?id=kb_article_view\u0026sysparm_article=KB0801267"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Prevention schemes mirror that of hard-coded password storage.
No CAPEC attack patterns related to this CWE.