CWE-321
AllowedUse of Hard-coded Cryptographic Key
Abstraction: Variant · Status: Draft
The product uses a hard-coded, unchangeable cryptographic key.
504 vulnerabilities reference this CWE, most recent first.
GHSA-6C8G-9HFH-PQ5H
Vulnerability from github – Published: 2026-05-19 14:44 – Updated: 2026-06-09 11:56Summary
The hmacBase64() function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.
Details
Bug 1: Hardcoded HMAC Key (line 2160): The function passes the literal string "0" as the HMAC signing key instead of the key parameter, making every HAXcms instance compute identical HMACs for the same input.
Bug 2: Private Key Appended to Output (lines 2161- 2163): After computing the HMAC, the function concatenates the real key parameter which is "this.privateKey + this.salt", the system’s master signing secret is directly onto the output. The combined buffer is base64-encoded and returned as the token.
Every base64url token produced has the same structure: 32 bytes HMAC keyed with "0" and N bytes of privateKey+salt. An attacker base64-decodes any token, discards the first 32 bytes, and reads the private key directly.
The /system/api/connectionSettings endpoint is unauthenticated and returns multiple tokens generated by this function. A single GET request to this endpoint exposes the private key.
The PHP backend (HAXCMS.php:1619-1631) implements this function correctly with the actual key and returns only the hash. The PHP version produces 44-character tokens whereas the broken Node.js version produces 139+ character tokens.
PoC
- GET request to
/system/api/connectionSettingsendpoint and fetch the token. - Extract the private key from the fetched token. The
hmacBase64()function produces 32 bytes with HMAC-SHA256 with hardcoded key "0" and the rest of the bytes areprivateKey+salt(plaintext). Decode the Base64 token, discard the first 32 bytes, read the remaining bytes as UTF-8 (this is your extracted private key). - Since JWT's are signed with
privateKey+salt, use this stolen private key to forge a JWT for admin usingJWT.sign(payload, this.privateKey+this.salt). NOTE: the payload uses {id, user (set this as admin), iat (current timestamp), exp (expiration timestamp)} - The same key can also be used to create other tokens (user_token, base_token, form_token, etc).
- Use these forged tokens to hit all authenticated endpoints (modify/delete/create etc) with admin privileges.
Impact
An unauthenticated attacker can perform the complete attack chain with a single HTTP request: 1. Extract private key: GET "/system/api/connectionSettings", base64-decode any token, discard first 32 bytes. 2. Forge admin JWT: sign arbitrary JWT payloads with the stolen privateKey+salt. 3. Forge all request tokens: compute valid user_token, site_token for any API call. 4. Full admin access: create/modify/delete sites, upload files, modify content.
This works even if the admin has changed the default credentials to a strong password. The forged tokens produce no login events in logs.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 25.0.0"
},
"package": {
"ecosystem": "npm",
"name": "@haxtheweb/haxcms-nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46395"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-321",
"CWE-327"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T14:44:55Z",
"nvd_published_at": "2026-06-05T19:16:33Z",
"severity": "CRITICAL"
},
"details": "### Summary\nThe `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system\u2019s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.\n\n### Details\nBug 1: Hardcoded HMAC Key (line 2160): The function passes the literal string \"0\" as the HMAC signing key instead of the key parameter, making every HAXcms instance compute identical HMACs for the same input.\n\nBug 2: Private Key Appended to Output (lines 2161- 2163): After computing the HMAC, the function concatenates the real key parameter which is \"this.privateKey + this.salt\", the system\u2019s master signing secret is directly onto the output. The combined buffer is base64-encoded and returned as the token.\n\nEvery base64url token produced has the same structure: 32 bytes HMAC keyed with \"0\" and N bytes of `privateKey+salt`. An attacker base64-decodes any token, discards the first 32 bytes, and reads the private key directly.\n\nThe `/system/api/connectionSettings` endpoint is unauthenticated and returns multiple tokens generated by this function. A single GET request to this endpoint exposes the private key.\n\nThe PHP backend (HAXCMS.php:1619-1631) implements this function correctly with the actual key and returns only the hash. The PHP version produces 44-character tokens whereas the broken Node.js version produces 139+ character tokens.\n\n### PoC\n1. GET request to `/system/api/connectionSettings` endpoint and fetch the token.\n2. Extract the private key from the fetched token. The `hmacBase64()` function produces 32 bytes with HMAC-SHA256 with hardcoded key \"0\" and the rest of the bytes are `privateKey+salt` (plaintext). Decode the Base64 token, discard the first 32 bytes, read the remaining bytes as UTF-8 (this is your extracted private key).\n3. Since JWT\u0027s are signed with `privateKey+salt`, use this stolen private key to forge a JWT for admin using `JWT.sign(payload, this.privateKey+this.salt)`. NOTE: the payload uses {id, user (set this as admin), iat (current timestamp), exp (expiration timestamp)}\n4. The same key can also be used to create other tokens (user_token, base_token, form_token, etc).\n5. Use these forged tokens to hit all authenticated endpoints (modify/delete/create etc) with admin privileges.\n\n### Impact\nAn unauthenticated attacker can perform the complete attack chain with a single HTTP request:\n1. Extract private key: GET \"/system/api/connectionSettings\", base64-decode any token, discard first 32 bytes.\n2. Forge admin JWT: sign arbitrary JWT payloads with the stolen privateKey+salt.\n3. Forge all request tokens: compute valid user_token, site_token for any API call.\n4. Full admin access: create/modify/delete sites, upload files, modify content.\n\nThis works even if the admin has changed the default credentials to a strong password. The forged tokens produce no login events in logs.",
"id": "GHSA-6c8g-9hfh-pq5h",
"modified": "2026-06-09T11:56:50Z",
"published": "2026-05-19T14:44:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-6c8g-9hfh-pq5h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46395"
},
{
"type": "PACKAGE",
"url": "https://github.com/haxtheweb/issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "HAXcms: Private Key Disclosure via Broken HMAC Implementation"
}
GHSA-6CR4-7C7P-P3XV
Vulnerability from github – Published: 2022-05-14 01:17 – Updated: 2022-07-13 18:30DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "5.5.0"
},
{
"fixed": "5.5.34"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.33"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2011-5064"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-13T18:30:02Z",
"nvd_published_at": "2012-01-14T21:55:00Z",
"severity": "MODERATE"
},
"details": "DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.",
"id": "GHSA-6cr4-7c7p-p3xv",
"modified": "2022-07-13T18:30:02Z",
"published": "2022-05-14T01:17:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5064"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tomcat"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0074.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0075.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0076.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/57126"
},
{
"type": "WEB",
"url": "http://svn.apache.org/viewvc?view=rev\u0026rev=1087655"
},
{
"type": "WEB",
"url": "http://svn.apache.org/viewvc?view=rev\u0026rev=1158180"
},
{
"type": "WEB",
"url": "http://svn.apache.org/viewvc?view=rev\u0026rev=1159309"
},
{
"type": "WEB",
"url": "http://tomcat.apache.org/security-5.html"
},
{
"type": "WEB",
"url": "http://tomcat.apache.org/security-6.html"
},
{
"type": "WEB",
"url": "http://tomcat.apache.org/security-7.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2012/dsa-2401"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Use of Hard-coded Cryptographic Key in Apache Tomcat"
}
GHSA-6JFW-MX4Q-GMHR
Vulnerability from github – Published: 2025-09-15 18:31 – Updated: 2025-09-15 21:30An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other previous versions. The rfpiped service listening on TCP port 555 which uses static AES encryption keys hardcoded in the binary. These keys are identical across all devices, allowing attackers to craft encrypted packets that execute arbitrary commands without authentication. This is a failed patch for CVE-2017-7318. This issue may affect other Etherhaul series devices with shared firmware.
{
"affected": [],
"aliases": [
"CVE-2025-57174"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T17:15:35Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other previous versions. The rfpiped service listening on TCP port 555 which uses static AES encryption keys hardcoded in the binary. These keys are identical across all devices, allowing attackers to craft encrypted packets that execute arbitrary commands without authentication. This is a failed patch for CVE-2017-7318. This issue may affect other Etherhaul series devices with shared firmware.",
"id": "GHSA-6jfw-mx4q-gmhr",
"modified": "2025-09-15T21:30:55Z",
"published": "2025-09-15T18:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57174"
},
{
"type": "WEB",
"url": "https://semaja2.net/2025/08/02/siklu-eh-unauthenticated-rce"
},
{
"type": "WEB",
"url": "http://ceragon.com"
},
{
"type": "WEB",
"url": "http://etherhaul.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6RFG-CMRR-C9J6
Vulnerability from github – Published: 2025-02-11 18:31 – Updated: 2025-02-11 18:31A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled.
{
"affected": [],
"aliases": [
"CVE-2024-33504"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T17:15:22Z",
"severity": "MODERATE"
},
"details": "A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the \u0027private-data-encryption\u0027 setting is enabled.",
"id": "GHSA-6rfg-cmrr-c9j6",
"modified": "2025-02-11T18:31:34Z",
"published": "2025-02-11T18:31:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33504"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-094"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6RRW-4FM9-RGHV
Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2022-02-23 15:45Netmaker prior to versions 0.8.5, 0.9.4, 0.10.0, and 0.10.1 uses a hard-coded cryptographic key.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gravitl/netmaker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/gravitl/netmaker"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.0"
},
{
"fixed": "0.9.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0664"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-23T15:45:21Z",
"nvd_published_at": "2022-02-18T14:15:00Z",
"severity": "HIGH"
},
"details": "Netmaker prior to versions 0.8.5, 0.9.4, 0.10.0, and 0.10.1 uses a hard-coded cryptographic key.",
"id": "GHSA-6rrw-4fm9-rghv",
"modified": "2022-02-23T15:45:21Z",
"published": "2022-02-19T00:01:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0664"
},
{
"type": "WEB",
"url": "https://github.com/gravitl/netmaker/commit/9bee12642986cb9534e268447b70e6f0f03c59cf"
},
{
"type": "PACKAGE",
"url": "https://github.com/gravitl/netmaker"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/29898a42-fd4f-4b5b-a8e3-ab573cb87eac"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Use of Hard-coded Cryptographic Key in Netmaker"
}
GHSA-6WJV-8P85-PCXM
Vulnerability from github – Published: 2025-11-19 18:31 – Updated: 2025-11-25 21:32Twonky Server 8.5.2 on Linux and Windows is vulnerable to a cryptographic flaw, use of hard-coded cryptographic keys. An attacker with knowledge of the encrypted administrator password can decrypt the value with static keys to view the plain text password and gain administrator-level access to Twonky Server.
{
"affected": [],
"aliases": [
"CVE-2025-13316"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-19T18:15:48Z",
"severity": "HIGH"
},
"details": "Twonky Server 8.5.2 on Linux and Windows is vulnerable to a cryptographic flaw, use of hard-coded cryptographic keys. An attacker with knowledge of the encrypted administrator password can decrypt the value with static keys to view the plain text password and gain administrator-level access to Twonky Server.",
"id": "GHSA-6wjv-8p85-pcxm",
"modified": "2025-11-25T21:32:05Z",
"published": "2025-11-19T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13316"
},
{
"type": "WEB",
"url": "https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-73H9-JVHG-453M
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30ELECOM wireless LAN access point devices use a hard-coded cryptographic key when creating backups of configuration files. An attacker who knows the encryption key can tamper the configuration file of the product, and a victim administrator may be tricked to use a crafted configuration file.
{
"affected": [],
"aliases": [
"CVE-2026-25107"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T13:16:37Z",
"severity": "MODERATE"
},
"details": "ELECOM wireless LAN access point devices use a hard-coded cryptographic key when creating backups of configuration files. An attacker who knows the encryption key can tamper the configuration file of the product, and a victim administrator may be tricked to use a crafted configuration file.",
"id": "GHSA-73h9-jvhg-453m",
"modified": "2026-05-13T18:30:52Z",
"published": "2026-05-13T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25107"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN03037325"
},
{
"type": "WEB",
"url": "https://www.elecom.co.jp/news/security/20260512-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-77RP-FP5P-7WGW
Vulnerability from github – Published: 2025-02-11 18:31 – Updated: 2025-02-11 18:31A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.
{
"affected": [],
"aliases": [
"CVE-2024-13842"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T16:15:39Z",
"severity": "MODERATE"
},
"details": "A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.",
"id": "GHSA-77rp-fp5p-7wgw",
"modified": "2025-02-11T18:31:34Z",
"published": "2025-02-11T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13842"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7954-XQV5-FH2R
Vulnerability from github – Published: 2025-12-26 06:30 – Updated: 2026-01-07 21:31Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in Device Manager that a hardcoded encryption key for sensitive information. An attacker can use key to decrypt sensitive information. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.
{
"affected": [],
"aliases": [
"CVE-2025-52601"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-26T05:16:11Z",
"severity": "MODERATE"
},
"details": "Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in Device Manager that a hardcoded encryption key for sensitive information. An attacker can use key to decrypt sensitive information. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer\u0027s report for details and workarounds.",
"id": "GHSA-7954-xqv5-fh2r",
"modified": "2026-01-07T21:31:52Z",
"published": "2025-12-26T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52601"
},
{
"type": "WEB",
"url": "https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7FJ9-WG8V-V4F2
Vulnerability from github – Published: 2022-05-17 04:14 – Updated: 2025-11-03 21:30Hospira MedNet before 6.1 uses hardcoded cryptographic keys for protection of data transmission from infusion pumps, which allows remote attackers to obtain sensitive information by sniffing the network.
{
"affected": [],
"aliases": [
"CVE-2014-5403"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-04-03T10:59:00Z",
"severity": "MODERATE"
},
"details": "Hospira MedNet before 6.1 uses hardcoded cryptographic keys for protection of data transmission from infusion pumps, which allows remote attackers to obtain sensitive information by sniffing the network.",
"id": "GHSA-7fj9-wg8v-v4f2",
"modified": "2025-11-03T21:30:28Z",
"published": "2022-05-17T04:14:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5403"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-090-03.json"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-090-03"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-15-090-03"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Prevention schemes mirror that of hard-coded password storage.
No CAPEC attack patterns related to this CWE.